The no-patch Java 6 zero-day conundrum

Java vulnerabilities have hardly been out of the news during the last year. Here at DaniWeb we've covered a number of the stories as they surfaced: Java in the cross-hairs: the security debate rolls on, Is Java 7 still insecure? Oracle Patch doesn't fix underlying vulnerability, Update my insecure Java plug-in? Meh, say 72% of users and WARNING: New zero-day for Java 6u41 and Java 7u15. It's the latter two that are pertinent as to why I'm covering the whole Java exploits story again. It would appear that the CVE-2013-2463 vulnerability in the Java 2D subcomponent is still problematical, even though it was addressed in an Oracle patch for Java 7 back in June. Why so? Those previous stories give the clue: updating an insecure version of Java. In this case, Oracle has admitted that the same vulnerability exists for Java 6 but as it went end of life in April 2013, it's no longer supported and that means no patch.