This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Organisations have more than 50 versions of Java installed

Share this article:
Apple patches Java flaw
Apple patches Java flaw

Java still represents a significant security risk despite years of software updates.

According to a report from Bit9, Java is the endpoint technology most targeted by cyber attacks. Its analysis of approximately one million endpoints at hundreds of enterprises worldwide found that outdated versions of Java were being used.

Its survey discovered that some organisations had more than 50 versions of Java installed across all of its endpoints, and five per cent of those enterprises have more than 100 versions of Java installed. The average endpoint ran 1.6 versions of Java; Bit9 said that this was down to companies installing a new version and that will not always remove older versions of the software.

The most popular version of Java running on endpoints analysed by Bit9 is version 6 update 20, which is present on nine per cent of all systems and has 96 known vulnerabilities of the highest severity.

Harry Sverdlove, Bit9 chief technology officer, said: “For the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues. They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints.

“Unfortunately, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95.”

Similar research undertaken by Websense earlier this year found that 75 per cent of end-users are using a Java Runtime Environment release that is more than six months out of date, while almost two-thirds of users are a year behind and more than 50 per cent are two years behind.

It also found that two days after a critical patch update in April, fewer than two per cent of users had adopted Java SE Version 7 Update 21. Carl Leonard, senior security research manager, EMEA at Websense, told SC Magazine that this shows a continued pattern that even with best efforts businesses still struggle to apply patches in a timely fashion.

Sverdlove said that it was not surprising that most companies are unaware of all the versions of Java on their systems as most organisations have no idea what's running on their endpoints and servers as they lack visibility into those systems.

Oracle announced in June that it would begin to issue four annual security releases, as well as retain the ability to issue emergency ‘out of band' security fixes.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Apple criticised despite fixing iOS 7 and OS X flaws

Apple criticised despite fixing iOS 7 and OS ...

Apple has been criticised despite correcting various security flaws on iOS 7 and OS X Lion and Mountain, with one such bug allowing hackers to intercept data via an SSL ...

Dual-pronged social media attack vector discovered

Dual-pronged social media attack vector discovered

Symantec researchers have spotted a dual-pronged social media engineering attack.

Major Twitter spam attack 'traced' to fellow social media site

Major Twitter spam attack 'traced' to fellow social ...

Photo-sharing website We Heart may have been hit by a stream hack, after it was cited as the source for thousands of spam messages being sent out on Twitter.