Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/4/2013
05:18 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Java Patch For You: 93 Percent Of Users Run Older Versions Of The App

Many end users stuck with older Java to run certain apps, Websense finds

Despite growing awareness of the dangers of Java bugs and exploits, plus Oracle's update of the app in mid-April, some 93 percent of users still aren't running the latest version of the beleaguered app.

That's only a 2 percent improvement from last March, according to Websense, which released the new data today. And it's not all about consumers not applying patches: Most of the data comes from business users, according to Websense.

The lack-of-patching problem is in part a function of Java itself. "My assumption is that many are in the situation where they can't patch because they are depending on applications for productivity that won't work with altered versions," says Bob Hansmann, senior marketing manager for Websense Security Labs. Some developers have written their apps on older versions of the platform, and its open community approach has made for difficulties in compatibility of newer versions.

Some developers have written apps to a specific iteration and version of Java, and if they were to upgrade to the newer version, they would lose features or functionality, he says. That leaves users stuck with older and more vulnerable Java versions.

The latest data is a follow-up to a report back in March where Websense found that nearly 95 percent of endpoints actively running Java are vulnerable to at least a single Java exploit: Seventy-five percent of end users were running a version of Java in their browsers that's at least six months out of date; two-thirds, a year out of date; and 50 percent, more than two years out of date. And nearly one-fourth of users were employing a Java version that was more than four years old.

The newest version of Java, Version 7 Update 21, is just not getting much uptake yet, according to the data released today by Websense. The small amount of adoption has been very gradual: Two days after the release of the patch in April, less than 2 percent of users had adopted Version 7 Update 21, and after one week, less than 3 percent. Two weeks after the release, 4 percent had updated, and one month after it came out, just 7 percent had updated.

The stakes are high: Thirty-nine of the 42 security fixes in CVE-2013-2423 may be remotely exploitable without authentication, Websense points out, and a Metasploit module was released just a few days after the patch was issued by Oracle. "Not only that, but we are also monitoring the possible impact of a recent vulnerability disclosure affecting the Java SE Version 7 Update 21 itself," Websense said in a blog post today. The security firm recommends updating to the latest version, and to do the same with the upcoming patches from Oracle on June 18.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.