We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Enterprises running Java versions that are months out of date, analysis finds

Easy meat

Despite the widespread and well-publicised exploitation of vulnerabilities in Java, large numbers of organisations continue to use versions that are weeks, months or even years out of date, a Websense survey of its customers has reported.

Collecting data from millions of endpoints, Websense discovered an amazing degree of fragmentation of Java clients, with three quarters using a Runtime that was at least six months out of date.

Drilling down again, two thirds were half a year out of date and half more than a year behind, a degree of vulnerability that would make such PCs easy meat for even non-targeted attacks using common Java exploits.

A quarter were more than four years out of date, as good as saying these endpoints will probably never receive a Java update.

Only one in twenty were detected to be running the latest Java version.

Plotting this against known exploits in malware toolkits, Websense found that 94 percent of endpoints were vulnerable to the most recent example, CVE-2013-1493. Three quarters were vulnerable to CVE-2012-5076 from last November.

"This means that more than 77 per cent of users (based on requests from our research) are currently using Java version that are essentially end of life and will not be updated, patched or supported by Oracle," said Websense.

If one takes Websense's figures at face value, there are actually two problems with Java.

First, a surprisingly large number of users aren't being patched at all. Second, even those who do are finding it hard to keep up with the inexorable cycle of updates.

The situation is now so bad that many security experts recommend that consumers and businesses simply ditch Java altogether, or look to do that as soon as is possible.

There seem to be no easy way out of this impasse. Oracle has been encouraged to add new security features such as application whitelisting but this wouldn't solve matters for the large population of holdouts.

IDG UK Sites

OnePlus One release date, price, specs UK: No invite needed any longer

IDG UK Sites

15 analogue facts that today's kids won't understand: winding tapes, Ceefax and more

IDG UK Sites

da Vinci Junior 3D printer review

IDG UK Sites

WWDC 2015: What Apple will launch at WWDC 2015: Apple TV, Macs, more & how to get WWDC tickets