Vulnerabilities / Threats
3/26/2013
04:43 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

The Scope Of The Java Problem

New Websense data highlights why Java is attackers' favorite target: most end users run outdated versions of the app

Nearly 95 percent of endpoints actively running Java are vulnerable to at least a single Java exploit, according to new data from Websense.

The security firm decided to measure the actual state of Java vulnerability when it comes to users and their Java versions, and the numbers weren't pretty: 75 percent of end users run a version of Java in their browser that's at least six months out of date; two-thirds, a year out of date; and 50 percent, more than two years out of date. And nearly one-fourth of users employ a Java version that is more than four years old.

"It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them," according to a Websense blog post yesterday with the new data. "Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers."

Then there are the earlier versions of Java, prior to Version 7: some 79 percent of end users are still running that iteration of the app. The really bad news here is that the latest update to Java Development Kit 6, update 43, is the last one Oracle plans to release for that version of JDK . The software firm recommends that users move to JDK 7. "This means that more than 77 percent of users (based on requests from our research) are currently using Java version that are essentially [end of life] and will not be updated, patched or supported by Oracle," according to Websense.

The security firm got the real-time data on tens of millions of endpoints worldwide from its ThreatSeeker network. It found that only five percent of users are running the newest version of the Java Runtime Environment, 1.7.17.

Java Users Release Dates
(click image for larger view)
A look at the versions of Java Runtime Environment, based on active browser usage. Source: Websense

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hunterpj
50%
50%
hunterpj,
User Rank: Apprentice
4/4/2013 | 4:46:59 PM
re: The Scope Of The Java Problem
In the corporate world-ádisconnecting-áfrom older versions of Java is difficult. We have numerous internal applications and tools as well as external partners that do not support JDK 7. We are considering virtual systems locked down so that they just connect to our internal and partner resources when Java is required, while everyday user systems will be prevented from installing Java.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web