This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Organisations have more than 50 versions of Java installed

Share this article:
Apple patches Java flaw
Apple patches Java flaw

Java still represents a significant security risk despite years of software updates.

According to a report from Bit9, Java is the endpoint technology most targeted by cyber attacks. Its analysis of approximately one million endpoints at hundreds of enterprises worldwide found that outdated versions of Java were being used.

Its survey discovered that some organisations had more than 50 versions of Java installed across all of its endpoints, and five per cent of those enterprises have more than 100 versions of Java installed. The average endpoint ran 1.6 versions of Java; Bit9 said that this was down to companies installing a new version and that will not always remove older versions of the software.

The most popular version of Java running on endpoints analysed by Bit9 is version 6 update 20, which is present on nine per cent of all systems and has 96 known vulnerabilities of the highest severity.

Harry Sverdlove, Bit9 chief technology officer, said: “For the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues. They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints.

“Unfortunately, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95.”

Similar research undertaken by Websense earlier this year found that 75 per cent of end-users are using a Java Runtime Environment release that is more than six months out of date, while almost two-thirds of users are a year behind and more than 50 per cent are two years behind.

It also found that two days after a critical patch update in April, fewer than two per cent of users had adopted Java SE Version 7 Update 21. Carl Leonard, senior security research manager, EMEA at Websense, told SC Magazine that this shows a continued pattern that even with best efforts businesses still struggle to apply patches in a timely fashion.

Sverdlove said that it was not surprising that most companies are unaware of all the versions of Java on their systems as most organisations have no idea what's running on their endpoints and servers as they lack visibility into those systems.

Oracle announced in June that it would begin to issue four annual security releases, as well as retain the ability to issue emergency ‘out of band' security fixes.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Queen's website hosts controversial tracking technique

Queen's website hosts controversial tracking technique

Advertising tracking called 'canvas fingerprinting' is used on many websites and identifies unique individuals and their browsing habits and works surreptitiously.

Could MH17 sanctions push Russia to cyber warfare?

Could MH17 sanctions push Russia to cyber warfare?

A leading cyber security academic has warned the US and European governments that tougher sanctions on Russia relating to the MH17 airplane crash could result in the start of cyber ...

Snowden, Ellsberg ask hackers to help obscure whistleblower activity

Snowden, Ellsberg ask hackers to help obscure whistleblower ...

Crowds of people came out to see Daniel Ellsberg chat with Edward Snowden at HOPE X conference.