Java vulnerabilities still causing major security headaches despite efforts

By on Nov 2, 2013 in Blog

Though Oracle has tried very hard to better secure their still ubiquitous programming language (89 patches in their latest security update) – Java unsurprisingly remains the most targeted endpoint technology of 2013. A dubious honor that sees little chance of changing soon, with Apple being the latest victim of a Java exploit after Facebook and Twitter were also hacked earlier this year.

According to the latest Java Vulnerabilities Report from Bit9 (requires registration) – the reasons that Java remains so vulnerable are abundantly clear, and not all of the blame can be put squarely onto Oracle.

For example – even though Oracle keeps pushing out new updates all the time – few companies are actually installing those updates consistently:

  • Less than 1% of enterprises run the latest version of Java.
  • 93% of organizations are running a version more than 5 years old.
  • 42% of endpoints have more than two versions of Java.
  • The average organization has 51 distinct versions of Java installed.

OK it’s true that part of the reason for some many versions of Java being out there is because the installation and update process does not remove older versions of the language. This means that most organizations are going to have to manually cleanup their machines in order to purge all these old versions (Oracle does provide some instructions for this).

It is also true that the technology ecosystem is moving away from Java, largely because of these continuous risk exposures. However the reality is that the language is still used ubiquitously on the internet, and is available on the vast majority of machines.

Sadly in many cases users are forced to keep using Java regardless of their personal preference – for example to access their web banking or other important online services. Simply disabling the language is not an option for many unless they are willing to live without the convenient access to some critical services.

Since we are still (most of us at least) forced to keep using Java in the meantime, the minimum we can do is get rid of all the old installations which are sure to be on your machine right now.  Especially if you are still running version 6:

  • Version 6 is considered the most vulnerable version of Java.
  • Version 6 Update 20 alone has 96 “Perfect 10” vulnerabilities.
  • The top 10 most vulnerable versions of Java all belong to the version 6 release.



Post a Reply