Millions of PCs vulnerable to Java 6 exploit kit released last week

Neutrino exploit kit updated to take advantage of Java 6 vulnerability - attacks already seen this week

Millions of PC users are at risk of a "critical" vulnerability in Java, following the discovery of an exploit in the wild incorporated into the Neutrino exploit kit.

In a Critical Patch Update Advisory issued in June 2013, Oracle rated the vulnerability at 10 out of 10 on its Common Vulnerability Scoring System. The vulnerability lies in a sub-component of the Java Runtime Environment used to generate two-dimensional graphics.

Although Oracle issued patches to secure the bug in Java 6 back in April, about half of Java users still have not updated the software to the latest version.

"An attacker can execute their own code on the system to infect it with malware," Timo Hirvonen, a senior analyst at security firm F-Secure, told SCMagazine. "It might be that you get some links in spam, and that link leads to this Neutrino exploit kit, or you visit an infected website."

The infected website, in turn, can install the exploit kit in a "drive-by" download.

Exploit kits enable attackers to build automated attacks more quickly and easily, also enabling less skilled hacking groups to attack targets.

According to Wolfgang Kandek, chief technology officer of cloud security company Qualys, endpoint scans conducted during the summer indicate that half of Java users are still using version 6, which Oracle is no longer supporting.

Many of the users still running Java 6 will be ordinary users who may not even be aware that their PC is running Java. However, many others will be organisations running Java apps in browsers that might get broken should the organisation upgrade to version 7.

The latest version of Java, Java 7.25, is immune from the vulnerability.

Oracle has been repeatedly criticised for both the poor standard of security in Java, which is supposed to run in a "sand box" environment to prevent it representing a security threat, as well as its past lackadaisical attitude to patching.

It now patches the software on a fixed quarterly basis, with the next batch of patches due on 15 October 2013.