Research reveals 94 percent of endpoints currently running outdated versions of Java

Share this article:

Rather than focusing on new vulnerabilities, cyber criminals can be just as successful at launching attacks aimed at older Java bugs thanks to outdated browsers, according to new research.

After adding Java version detection to its Advanced Classification Engine (ACE), experts at Websense Security Labs analyzed the Java vulnerability landscape (below). In doing so, they were able to see which versions of Java were actively being used across millions of endpoints.

Results indicated that more than 75 percent of the endpoints analyzed were using outdated browsers with respect to Java vulnerabilities that are at least six months old, two-thirds used versions at least one year old, and more than half of the endpoints used browsers that are more than two years behind on Java updates.

Of the endpoints analyzed, 94 percent are currently running a version of Java that is vulnerable to at least one exploit aimed at the software.

Java is well-known as a popular vector for repeated attacks by cyber criminals, mostly to run remote code execution, Charles Renert, vice president of Websense Security Labs, said in an email Wednesday to SCMagazine.com. This allows saboteurs to completely take over an endpoint.

“Combine this with the universal adoption of browsers, the number of Java flaws being uncovered, the difficulty in patching, and the ready availability of sophisticated exploits and kits, and you have a very popular attack vector,” Renert said.

Rather than leveraging vulnerabilities in the most recent version of the software through “highly managed” exploit kits, like Cool and Blackhole, the research indicates that other, lesser-known exploit kits that use older Java exploits can still be just as successful, Renert said.

According to his company's research, close to 80 percent of users are on a version of Java that will no longer receive updates from Oracle. Java 6 was patched by the company for the last time in February.

“Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kind of vectors is on the rise,” Renert said.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.