Java still represents a significant security risk despite years of software updates.
According to a report from Bit9, Java is the endpoint technology most targeted by cyber attacks. Its analysis of approximately one million endpoints at hundreds of enterprises worldwide found that outdated versions of Java were being used.
Its survey discovered that some organisations had more than 50 versions of Java installed across all of its endpoints, and five per cent of those enterprises have more than 100 versions of Java installed. The average endpoint ran 1.6 versions of Java; Bit9 said that this was down to companies installing a new version and that will not always remove older versions of the software.
The most popular version of Java running on endpoints analysed by Bit9 is version 6 update 20, which is present on nine per cent of all systems and has 96 known vulnerabilities of the highest severity.
Harry Sverdlove, Bit9 chief technology officer, said: “For the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues. They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints.
“Unfortunately, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95.”
Similar research undertaken by Websense earlier this year found that 75 per cent of end-users are using a Java Runtime Environment release that is more than six months out of date, while almost two-thirds of users are a year behind and more than 50 per cent are two years behind.
It also found that two days after a critical patch update in April, fewer than two per cent of users had adopted Java SE Version 7 Update 21. Carl Leonard, senior security research manager, EMEA at Websense, told SC Magazine that this shows a continued pattern that even with best efforts businesses still struggle to apply patches in a timely fashion.
Sverdlove said that it was not surprising that most companies are unaware of all the versions of Java on their systems as most organisations have no idea what's running on their endpoints and servers as they lack visibility into those systems.
Oracle announced in June that it would begin to issue four annual security releases, as well as retain the ability to issue emergency ‘out of band' security fixes.