Rather than focusing on new vulnerabilities, cyber criminals can be just as successful at launching attacks aimed at older Java bugs thanks to outdated browsers, according to new research.
After adding Java version detection to its Advanced Classification Engine (ACE), experts at Websense Security Labs analyzed the Java vulnerability landscape (below). In doing so, they were able to see which versions of Java were actively being used across millions of endpoints.
Results indicated that more than 75 percent of the endpoints analyzed were using outdated browsers with respect to Java vulnerabilities that are at least six months old, two-thirds used versions at least one year old, and more than half of the endpoints used browsers that are more than two years behind on Java updates.
Of the endpoints analyzed, 94 percent are currently running a version of Java that is vulnerable to at least one exploit aimed at the software.
Java is well-known as a popular vector for repeated attacks by cyber criminals, mostly to run remote code execution, Charles Renert, vice president of Websense Security Labs, said in an email Wednesday to SCMagazine.com. This allows saboteurs to completely take over an endpoint.
“Combine this with the universal adoption of browsers, the number of Java flaws being uncovered, the difficulty in patching, and the ready availability of sophisticated exploits and kits, and you have a very popular attack vector,” Renert said.
Rather than leveraging vulnerabilities in the most recent version of the software through “highly managed” exploit kits, like Cool and Blackhole, the research indicates that other, lesser-known exploit kits that use older Java exploits can still be just as successful, Renert said.
According to his company's research, close to 80 percent of users are on a version of Java that will no longer receive updates from Oracle. Java 6 was patched by the company for the last time in February.
“Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kind of vectors is on the rise,” Renert said.