Security researchers are recommending Java users upgrade to the latest version due to a new exploit that has made its way into the Neutrino exploit kit.
In a tweet, F-Secure’s Timo Hirvonen warned that an exploit for CVE-2013-2463 is circulating a week after proof-of-concept code for an exploit appeared.
The Neutrino kit is well-known to security researchers, and was spotted in March by Trend Micro being offered for rental at a price of $40 per day or $450 per month (both USD).
According to CVE-MITRE.org, CVE-2013-2463 “allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.” The vulnerability applies to client deployments of Java only, and Oracle Java SE 7 Update 21 and earlier, version 6 Update 45 and earlier and version 5.0 Update 45 and earlier a well as OpenJDK 7.
In his tweet, Hirvonen advised users to either uninstall Java or upgrade to the latest version, Java Runtime Environment 7 update 25. Qualys CTO Wolfgang Kandek agreed, noting his firm still sees “very high rates” of Java 6 installed and many businesses are reluctant to upgrade out of fear of disrupting business critical applications.
Java 6 is of particular focus since Oracle is no longer issuing updates for it.
“For users of Java 6, it might be useful to look into the whitelisting of Java applets,” he blogged. “Internet Explorer supports this out of the box through its concept of “Zones” and while it is not a perfect solution, it should deal with the most common attack vector – an applet embedded in a webpage.”
In an email with SecurityWeek regarding Qualys’ recently published list of the most prevalent and critical vulnerabilities for August, Kandek wrote that Java seems to be the software package that is the most challenging to address.
“I have talked to organizations that have pointed out that they are forced by their applications vendor to run certain outdated versions of Java and that they cannot update or disable them because it would affect business critical applications,” he wrote. “So in essence they accept the risk of outdated Java in order to be able to continue to do business.”
Late last week, some new statistics from Rapid7 however showed that many organizations are falling behind on their patching elsewhere as well. According to the stats, 17 percent of roughly 600 respondents have not – or are unsure if they have – updated their machines in their organization to the latest operating systems.
“When it comes to challenges with patches, operating systems are often easier to patch than applications,” said Matt Hathaway, senior product manager at Rapid7. “However, the challenge with patching endpoint OSs, unlike servers and network devices, is that in many organizations they do not enforce automatic updates, and so non-IT personnel need to agree to accept updates and reboot their endpoints.”
Kandek advised organizations to prioritize patches by looking at the vulnerabilities that actually get exploited using threat intelligence from vendors as well as what vulnerabilities are being supported in exploit kits, Exploit DB, Metasploit, Immunity Canvas and Core Impact.