Unless you have an Oracle product that requires Java 6 or are paying for support for that version of the platform, you’d seen the last publicly available updates as of February. That doesn’t mean attackers have pushed back from targeting Java 6, and that certainly doesn’t mean that organizations have upgraded to version 7.

Reportedly, exploit code for a previously patched vulnerability in Java 6 has been folded into the Neutrino exploit kit, another reminder for organizations reliant on the Java to stay tuned in and up to date on patches for the browser plug-in.

The vulnerability, CVE-2013-2463, was patched in June when Oracle released its most recent Critical Patch Update for Java 7 Update 25. According to the CVE entry, the flaw is in the Java 2D subcomponent and affects Java SE 7 Update 21 and earlier, Java 6 Update 45 and earlier and Java 5.0 Update 45 and earlier, as well as OpenJDK 7. The new exploit is another in a long line of Java sandbox bypasses, this one related to an incorrect image attribute verification in Java 2D, according to the CVE entry.

“The bug exploited is however quite serious as memory corruption issues can usually lead to complete Java security compromise,” said Java bug hunter Adam Gowdiak of Security Explorations in Poland. “Java 2D is the component especially prone to such issues as it relies on a native code layer implementing support for numerous graphics operations.”

Gowdiak said he has not seen the new exploit code and was not able to comment on its effectiveness or reliability. He did, however, join the chorus of experts urging organizations to move onto Java 7.

“Java SE 6 lacks security levels (security warnings) introduced to Java SE 7. According to recently published data, the software is still in a widespread use among corporations, but support for it and security fixes in particular are available to paying customers only,” Gowdiak said. “All of the above makes Java SE 6 an attractive target for attackers.”

Java 7 has not been without its security issues, however. A number of sandbox bypass vulnerabilities and exploits have been unearthed in 2013, many of those related to serious issues with the new Reflection API introduced in Java 7.

Recent Java updates have brought about changes that prevent unsigned applets from executing by default. Users also see enhanced security warnings about potentially malicious applets and configurations that restrict what older Java versions can do. While signed applets do limit the effectiveness of some malware, it’s been proven that attackers don’t have much of an issue getting their hands on stolen digital certificates that validate malicious applets as legitimate.

Oracle also said earlier this year it would delay the release of Java 8 until Q1 of 2014, rather than next month as originally scheduled, to get its security house in order. Oracle promises enhancements to the Java security model, new security features and to increase the pace at which vulnerabilities are patched.

“Security levels introduced into Java SE 7 changed the whole picture as numerous security warnings got introduced into the software that made Java SE 7 rather less attractive for attackers,” Gowdiak said.

As for the Java 6 exploit, the fact that it has been introduced into an exploit kit and that Java 6 is still seeing widespread use is cause for alarm, according to Qualys’ Wolfgang Kandek, who notes on the company’s Laws of Vulnerabilities blog that just over 50 percent of the Java population still uses Java 6.

Per usual, experts are advising users or groups still running Java 6 update to Java 7 but in some cases that’s easier said than done. As Kandek notes many corporations have Java 6 linked with other critical business applications and – almost like a game of Jenga – removing it or even updating it could cause the whole tower to crumble.

“In essence they accept the risk of outdated Java in order to be able to continue to do business,” Kandek says in the blog post.

Oracle retired Java 6 in February, effectively suspending free updates for the foreseeable future, meaning that only Customers that pay for Java and commercial support can install Java 6 Update 51, the most recent Java 6 update.

Categories: Vulnerabilities, Web Security

Comment (1)

  1. David Jorm
    1

    Oracle no longer provides public updates to Oracle Java SE 6. These updates, which may include security patches, are now only available to users of Oracle Java SE 6 who have a commercial support agreement with Oracle. However, OpenJDK 6 remains supported and actively patched for security flaws. An OpenJDK 6 patch for CVE-2013-2463 is available:

    http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023941.html

    Java 6 security flaws reported directly to Oracle may only be resolved in their commercial patch stream, with no fix available to users of OpenJDK or other Java 6 implementations. Security issues that affect Java 6 can be reported to the Red Hat Security Response Team:

    http://securityblog.redhat.com/2013/07/03/reporting-security-flaws-for-openjdk-6/

Comments are closed.