Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/4/2013
05:18 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Java Patch For You: 93 Percent Of Users Run Older Versions Of The App

Many end users stuck with older Java to run certain apps, Websense finds

Despite growing awareness of the dangers of Java bugs and exploits, plus Oracle's update of the app in mid-April, some 93 percent of users still aren't running the latest version of the beleaguered app.

That's only a 2 percent improvement from last March, according to Websense, which released the new data today. And it's not all about consumers not applying patches: Most of the data comes from business users, according to Websense.

The lack-of-patching problem is in part a function of Java itself. "My assumption is that many are in the situation where they can't patch because they are depending on applications for productivity that won't work with altered versions," says Bob Hansmann, senior marketing manager for Websense Security Labs. Some developers have written their apps on older versions of the platform, and its open community approach has made for difficulties in compatibility of newer versions.

Some developers have written apps to a specific iteration and version of Java, and if they were to upgrade to the newer version, they would lose features or functionality, he says. That leaves users stuck with older and more vulnerable Java versions.

The latest data is a follow-up to a report back in March where Websense found that nearly 95 percent of endpoints actively running Java are vulnerable to at least a single Java exploit: Seventy-five percent of end users were running a version of Java in their browsers that's at least six months out of date; two-thirds, a year out of date; and 50 percent, more than two years out of date. And nearly one-fourth of users were employing a Java version that was more than four years old.

The newest version of Java, Version 7 Update 21, is just not getting much uptake yet, according to the data released today by Websense. The small amount of adoption has been very gradual: Two days after the release of the patch in April, less than 2 percent of users had adopted Version 7 Update 21, and after one week, less than 3 percent. Two weeks after the release, 4 percent had updated, and one month after it came out, just 7 percent had updated.

The stakes are high: Thirty-nine of the 42 security fixes in CVE-2013-2423 may be remotely exploitable without authentication, Websense points out, and a Metasploit module was released just a few days after the patch was issued by Oracle. "Not only that, but we are also monitoring the possible impact of a recent vulnerability disclosure affecting the Java SE Version 7 Update 21 itself," Websense said in a blog post today. The security firm recommends updating to the latest version, and to do the same with the upcoming patches from Oracle on June 18.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27886
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVE-2016-8153
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8154
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8155
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8156
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.