Research reveals 94 percent of endpoints currently running outdated versions of Java

Share this article:

Rather than focusing on new vulnerabilities, cyber criminals can be just as successful at launching attacks aimed at older Java bugs thanks to outdated browsers, according to new research.

After adding Java version detection to its Advanced Classification Engine (ACE), experts at Websense Security Labs analyzed the Java vulnerability landscape (below). In doing so, they were able to see which versions of Java were actively being used across millions of endpoints.

Results indicated that more than 75 percent of the endpoints analyzed were using outdated browsers with respect to Java vulnerabilities that are at least six months old, two-thirds used versions at least one year old, and more than half of the endpoints used browsers that are more than two years behind on Java updates.

Of the endpoints analyzed, 94 percent are currently running a version of Java that is vulnerable to at least one exploit aimed at the software.

Java is well-known as a popular vector for repeated attacks by cyber criminals, mostly to run remote code execution, Charles Renert, vice president of Websense Security Labs, said in an email Wednesday to This allows saboteurs to completely take over an endpoint.

“Combine this with the universal adoption of browsers, the number of Java flaws being uncovered, the difficulty in patching, and the ready availability of sophisticated exploits and kits, and you have a very popular attack vector,” Renert said.

Rather than leveraging vulnerabilities in the most recent version of the software through “highly managed” exploit kits, like Cool and Blackhole, the research indicates that other, lesser-known exploit kits that use older Java exploits can still be just as successful, Renert said.

According to his company's research, close to 80 percent of users are on a version of Java that will no longer receive updates from Oracle. Java 6 was patched by the company for the last time in February.

“Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kind of vectors is on the rise,” Renert said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.