Security researchers at F-Secure have discovered an unpatched vulnerability in Java 6, named CVE-2013-2463, and urged users to upgrade to Java 7 as soon as possible.

F-Secure senior analyst Timo Hirvonen warned users via Twitter yesterday that the vulnerability has been exploited in the wild, and the only way to prevent cyber attacks is upgrading to Java 7, which was fixed by Oracle in June with a Critical Patch Update. Java 6 became unsupported in April.

The Java 6 bug is a ”zero-day vulnerability,” according to Wolfgang Kandek, CTO of Qualys, a cloud security company. “We know about its existence, but do not have a patch at hand,” he said in a blog post. “This happens each time a software package loses support.”

According to Kandek, more than 50% of users still have Java 6 installed, leaving them unpatched and vulnerable.