Reports of an active exploit targeting an unpatched vulnerability in Java 6 recently surfaced. Upgrading to the latest version of Java is the prescribed solution, though for some users, this is easier said than done.
The said exploit, detected by Trend Micro as JAVA_EXPLOIT.ABC, targets CVE-2013-2463 which Oracle addressed last June. Java 6 is also affected by this vulnerability, but Oracle no longer supports the version since April this year. What is more alarming is that the said exploit has been confirmed integrated into the Neutrino exploit kit threat. Previously, the said exploit kit was found to serve users with ransomware variants, which are known to lock important files and often the system itself until affected users pay a fee or “ransom”.
Since Oracle no longer supports the said version, they have not stated any intention to patch the said flaw. With more than 50% of users still using Java 6, this can lead to serious implications. Because no patch is (or will be) available, the exploit provides cybercriminals and other attackers an effective vehicle to launch attacks targeting users and organizations using Java 6. This may include the aforementioned Neutrino exploit kit and ransomware variants, which may cause serious business disruption and in some cases, actual money loss (due to users paying the ransom).
The impact of this threat may be less for usual Internet users than for organizations/entities, who may not be quick to migrate to the latest software version due to business and/or operational continuity issues.
This incident can also be a sneak peak at what might happen once Microsoft halts its support for Windows XP. Last April, the company reiterated their intention of ending its support for the said OS and Office 2003 by April 2014 and encourage its users to migrate to the more modern Windows 7 and 8.
For users, the best way is to migrate to the latest version of Java. If not yet started, organizations are strongly encouraged to start migrating to the latest software version, to avoid this and other attacks that might take advantage of the unpatched vulnerability. Trend Micro detects and deletes the exploit and blocks access to sites hosting the malware.
Update as of 8:00 PM, PDT
Existing Trend Micro solutions – including our Web Reputation Service and the browser exploit prevention integrated into Trend Micro™ Titanium™ 2013 already provide protection to users out-of-the-box, without requiring any updates to be downloaded.
Update as of 9:00 AM, PDT Sept. 2, 2013
Trend Micro Deep Security protects users from the exploits targeting vulnerability cited in this blog via rule 1005652 – Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-2463).