Most browser installations use outdated versions of the Java plug-in that are vulnerable to at least one of several exploits currently used in popular Web attack toolkits, according to statistics published by security vendor Websense.
The company recently used its threat intelligence network, which monitors billions of Web requests originating from “tens of millions” of endpoint computers protected by its products, to detect the Java versions that are installed on those systems and are available through their Web browsers. Websense provides Web and email gateway security products for businesses, but it also has a partnership with Facebook to scan links clicked by users on the social networking site for malicious content.
The Java telemetry data gathered by Websense showed that only 5.5 percent of Java-enabled browsers have the most up-to-date versions of the software’s browser plug-in—Java 7 Update 17 (7u17) and Java 6 Update 43 (6u43)—installed. These two versions were released on March 4 in order to address a vulnerability that was already being exploited in active attacks at the time.
According to Websense, an exploit for that vulnerability has since been integrated into the Cool Exploit Kit, a Web attack toolkit used by cybercriminals to launch mass drive-by download attacks that infect computers with malware when visiting compromised or malicious websites.
Cool Exploit Kit is a high-end attack toolkit that requires a subscription of $10,000 per month, so there’s an argument to be made that not many cybercriminals can afford it. However, Websense’s data shows that a large number of Java-enabled browser installations are also vulnerable to exploits used in much cheaper and widespread exploit kits.
For example, the company found that around 71 percent of Java-enabled browser installations were vulnerable to an older exploit that’s currently present in four different Web attack toolkits: RedKit, CritXPack, Gong Da and Blackhole 2.0. The exploit targets a Java vulnerability called CVE-2012-4681 that was patched by Oracle in August 2012.
More than 75 percent of the Java-enabled browsers scanned by Websense used a Java plug-in version that was more than six months old, and nearly two-thirds used a version that was more than a year old. Users of those browsers don’t benefit from the security controls introduced by Oracle in Java 7 Update 11 that prevent Java applets from running inside browsers without confirmation by default.
The data shows that when it comes to Java, zero-day attacks—attacks exploiting vulnerabilities that were previously unknown to the public—should not be getting all of the attention, security researchers from Websense said in a blog post.
Other security experts have said in the past that Oracle should find a way to improve the adoption rate of Java updates, possibly by offering the option of silent, automatic updates like Google or Adobe did in Chrome, Flash Player and Adobe Reader. Silent software updates are not popular in corporate environments, where patches need to be tested for compatibility and stability issues before being deployed on systems, but they would probably help reduce the fragmentation of Java versions in the consumer space if implemented.