java
Security

Outdated (and vulnerable) Java usage abounds, analysis finds

Despite the widespread and well-publicized exploitation of vulnerabilities in Java, large numbers of businesess continue to use versions that are weeks, months, or even years out of date, a Websense survey of its customers reports.

Collecting data from millions of endpoints, Websense discovered an amazing degree of fragmentation of Java clients, with three quarters using a runtime that was at least six months out of date.

Drilling down again, two-thirds were half a year out of date and half were more than a year behind, a degree of vulnerability that would make such PCs easy meat for even non-targeted attacks using common Java exploits.

A quarter were more than four years out of date, as good as saying these endpoints will probably never receive a Java update.

Only one in 20 were detected to be running the latest Java version.

Recurring problem

Plotting this against known exploits in malware toolkits, Websense found that 94 percent of endpoints were vulnerable to the most recent example, CVE-2013-1493. Three quarters were vulnerable to CVE-2012-5076 from last November.

"This means that more than 77 percent of users (based on requests from our research) are currently using Java version that are essentially end of life and will not be updated, patched or supported by Oracle," said Websense.

If one takes Websense's figures at face value, there are actually two problems with Java.

First, a surprisingly large number of users aren't being patched at all. Second, even those who do are finding it hard to keep up with the inexorable cycle of updates.

The situation is now so bad that many security experts recommend that consumers and businesses simply ditch Java altogether, or look to do that as soon as is possible.

There seem to be no easy way out of this impasse. Oracle has been encouraged to add new security features such as application whitelisting but this wouldn't solve matters for the large population of holdouts.

Subscribe to the Security Watch Newsletter

Comments