Research reveals 94 percent of endpoints currently running outdated versions of Java

Share this article:

Rather than focusing on new vulnerabilities, cyber criminals can be just as successful at launching attacks aimed at older Java bugs thanks to outdated browsers, according to new research.

After adding Java version detection to its Advanced Classification Engine (ACE), experts at Websense Security Labs analyzed the Java vulnerability landscape (below). In doing so, they were able to see which versions of Java were actively being used across millions of endpoints.

Results indicated that more than 75 percent of the endpoints analyzed were using outdated browsers with respect to Java vulnerabilities that are at least six months old, two-thirds used versions at least one year old, and more than half of the endpoints used browsers that are more than two years behind on Java updates.

Of the endpoints analyzed, 94 percent are currently running a version of Java that is vulnerable to at least one exploit aimed at the software.

Java is well-known as a popular vector for repeated attacks by cyber criminals, mostly to run remote code execution, Charles Renert, vice president of Websense Security Labs, said in an email Wednesday to This allows saboteurs to completely take over an endpoint.

“Combine this with the universal adoption of browsers, the number of Java flaws being uncovered, the difficulty in patching, and the ready availability of sophisticated exploits and kits, and you have a very popular attack vector,” Renert said.

Rather than leveraging vulnerabilities in the most recent version of the software through “highly managed” exploit kits, like Cool and Blackhole, the research indicates that other, lesser-known exploit kits that use older Java exploits can still be just as successful, Renert said.

According to his company's research, close to 80 percent of users are on a version of Java that will no longer receive updates from Oracle. Java 6 was patched by the company for the last time in February.

“Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kind of vectors is on the rise,” Renert said.

Share this article:

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.