Research reveals 94 percent of endpoints currently running outdated versions of Java

Share this article:

Rather than focusing on new vulnerabilities, cyber criminals can be just as successful at launching attacks aimed at older Java bugs thanks to outdated browsers, according to new research.

After adding Java version detection to its Advanced Classification Engine (ACE), experts at Websense Security Labs analyzed the Java vulnerability landscape (below). In doing so, they were able to see which versions of Java were actively being used across millions of endpoints.

Results indicated that more than 75 percent of the endpoints analyzed were using outdated browsers with respect to Java vulnerabilities that are at least six months old, two-thirds used versions at least one year old, and more than half of the endpoints used browsers that are more than two years behind on Java updates.

Of the endpoints analyzed, 94 percent are currently running a version of Java that is vulnerable to at least one exploit aimed at the software.

Java is well-known as a popular vector for repeated attacks by cyber criminals, mostly to run remote code execution, Charles Renert, vice president of Websense Security Labs, said in an email Wednesday to SCMagazine.com. This allows saboteurs to completely take over an endpoint.

“Combine this with the universal adoption of browsers, the number of Java flaws being uncovered, the difficulty in patching, and the ready availability of sophisticated exploits and kits, and you have a very popular attack vector,” Renert said.

Rather than leveraging vulnerabilities in the most recent version of the software through “highly managed” exploit kits, like Cool and Blackhole, the research indicates that other, lesser-known exploit kits that use older Java exploits can still be just as successful, Renert said.

According to his company's research, close to 80 percent of users are on a version of Java that will no longer receive updates from Oracle. Java 6 was patched by the company for the last time in February.

“Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kind of vectors is on the rise,” Renert said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.