Security: Experts warn on Java 6 Vulnerability

Oracle released Java 7 update 25 in June 2013, while admitting the Java Runtime Environment (JRE) bug (CVE-2013-2463) in the later version, Java 6 and advised that users should upgrade to the most recent version. Now, security experts within last few days have uncovered an active exploitation of the vulnerability in Java 6 "Proof of Concept for CVE-2013-2463" attack code to compromise users systems.

The Neutrino crimeware kit which was first uncovered in March 2013, seems to be the point of exploit for the vulnerability according to security analyst, Timo Hirvonen of F-Secure.

The mode of attack include exploitation of Java vulnerability to install ransomeware on users PC, while such users are coaxed into paying some fines citing law enforcement agents involvement among others. The bug could be "exploited by malicious local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS(denial of service), bypass certain security restrictions, and compromise a vulnerable system," according to Secunia.

Java 6 was officially retired in February, which is more reason the company did not make available a patch for it, but instead, recommend that users should upgrade to Java 7. Albeit, almost 48% of all Java users in the U.S. are still stuck to Java 6 according to statistics released March, 2013.
Previous
Next Post »