A favorite target for cyber attackers, Java has become a major problem for enterprise security teams. But a new report sheds light on just how widespread and complicated the problem is.
According to the study, "Java Vulnerabilities: Write Once, Pwn Anywhere," from security firm Bit9, the most popular version of Java running on Bit9 customers' endpoints is version 6 update 20, which has 96 known vulnerabilities. Researchers discovered that version 6 update 20 was running on 9% of the approximately 1 million systems across hundreds of enterprises analyzed for the report; less than 1% of enterprises run the latest version of Java.
The average organization has more than 50 versions of Java installed across all of its endpoints, Bit9 said. Five percent of the enterprises researchers analyzed have more than 100 versions of Java installed. Ninety-three percent of organizations are running a version of Java at least five years old. Additionally, more than half (51%) were found to have a version between five and 10 years old.
"It is perhaps not well known outside the security research community that malicious Java code can target outdated instances of Java even after the most recent version of Java has been installed on an endpoint," the report notes.
The problem is that installing a new version of Java does not always remove older versions of the software; there are sometimes redundant versions on the same endpoint.
"The [Java] updater does remove the most recently installed version; it doesn’t remove any previous ones," explained Dan Brown, lead researcher at Bit9. "This was certainly by design. If users want to 'update' their software, I can’t presume that previous versions they may have weren’t intentionally installed. For example, they could be developers testing their code against different versions. This is part of what makes Java unique; it’s not just an end-user application; it’s also a VM [virtual machine], a language, runtime, API, etc."
[Read about new flaws HD Moore discovered in a widely used protocol in, "New Gaping Security Holes Found Exposing Servers."]
Enterprise organizations continue to be behind the curve on patching Java, said Dana Tamir, director of enterprise security at Trusteer. Typically, it takes an organization between three and nine months to apply Java patches due to the extensive quality assurance testing they need to conduct before applying each patch, she added.
Were it not for the fact that hackers have been paying close attention to Java vulnerabilities, this would be less of an issue. However, Java exploits have become common pieces of exploit kits such as Blackhole, Cool and Redkit. Earlier this year, US-CERT advised the public to disable Java unless it is necessary. In response to the negative attention, Oracle has pledged to improve Java security.
Disabling Java however is not as easy for some organizations as it sounds, Brown said.
"It’s similar to the fact that it’s easy for home users to upgrade their Windows OS overnight, but it takes corporations years to plan for and implement such a move," he told Network Computing. "And many organizations rely on Java as a legacy technology, for example, for internally developed applications."
Bit9 recommends that organizations decide whether or not Java is necessary for the business. If the decision is made to remove Java, organizations should use software management tools to remove it, the company advised.