Old Java Holes a Network Issue

Friday, July 19, 2013 @ 05:07 PM gHale

It becomes tiring to keep saying it, but when it is possible users need to patch as soon as possible.

That statement comes out because in spite of significant Java security improvements over the past six months, Java vulnerabilities continue to represent a major security risk for organizations because most of the have outdated versions of the software installed on their systems, a new report said.

Java Sandbox Bypass
Oracle Fixes 40 Vulnerabilities
Tool Blocks Java Attacks in IE
Microsoft Zero Day Disclosed

The basis of the report comes from data about Java usage collected from approximately 1 million enterprise endpoint systems owned by almost 400 organizations that use the company’s software reputation service, said security company Bit9, who conducted the report.

The data shows Java 6 is the most prevalent major version of Java in enterprise environments, present on more than 80 percent of enterprise computers that have Java installed.

Java 6 reached the end of public support in April, and only Oracle customers with a long-term support contract will continue to receive security updates for it. Java 7, the version that is the focus of Oracle’s recent security strengthening efforts, was only found on 15 percent of endpoint systems sampled by Bit9.

Furthermore, most companies that run Java 6 on their systems don’t have the latest security updates for it, Bit9 said.

The most widely deployed Java version, according to Bit9’s data, was Java 6 Update 20, which installed on a little over 9 percent of endpoints. This version of Java is vulnerable to 215 security issues, 96 of which have the maximum impact score on the Common Vulnerability Scoring System (CVSS) scale, Bit9 said.

The last publicly available security update for Java 6 is Java 6 Update 45, which released in April at the same time as Java 7 Update 21, the latest version of Java available when Bit9 collected data for its report.

Only 3 percent of enterprise endpoint systems were running Java 7 Update 21, the company said. However, those endpoints belonged to only 0.25 percent of the sampled organizations, which seems to indicate organizations with a larger number of endpoints are more likely to have the latest version of Java installed on their systems.

Another issue is quite a few enterprise systems have multiple versions of Java running on them. Around 65 percent of systems had more than two versions of Java installed at the same time, and 20 percent had more than three versions.

On average, organizations have more than 50 distinct versions of Java installed in their environments, Bit9’s report said. About 5 percent of organizations have more than 100 versions.

This problem mainly stems from how the Java installation and updating process deals with older versions.

The Java 7 updater will attempt to remove existing installations of Java 6, but a clean installation of Java 7 won’t remove older versions, said Harry Sverdlove, Bit9’s chief technology officer. Java 5 versions do not go away during Java 7’s installation or update processes, he said.

The Bit9 data showed 93 percent of organizations have a version of Java on some of their systems that’s at least five years old, while 51 percent have a version that’s between five and 10 years old.

The problem with having multiple versions of Java installed at the same time on a system is attackers can target the older and vulnerable versions to hack into that computer. Once that happens, the security of the newer Java versions doesn’t help.

Code that enumerates all Java versions installed on a system for reconnaissance purposes is a reality, Bit9 said in the report.

Having different Java versions on a system increases usability because customers can run legacy applications, but from a security perspective it’s a nightmare, Sverdlove said. Every version installed introduces yet another set of known vulnerabilities that attackers can target, he said.

Leave a Reply

You must be logged in to post a comment.