Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Java Vulnerabilities Pervasive In The Enterprise

A favorite target for cyber attackers, Java has become a major problem for enterprise security teams. But a new report sheds light on just how widespread and complicated the problem is.

According to the study, "Java Vulnerabilities: Write Once, Pwn Anywhere," from security firm Bit9, the most popular version of Java running on Bit9 customers' endpoints is version 6 update 20, which has 96 known vulnerabilities. Researchers discovered that version 6 update 20 was running on 9% of the approximately 1 million systems across hundreds of enterprises analyzed for the report; less than 1% of enterprises run the latest version of Java.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

The average organization has more than 50 versions of Java installed across all of its endpoints, Bit9 said. Five percent of the enterprises researchers analyzed have more than 100 versions of Java installed. Ninety-three percent of organizations are running a version of Java at least five years old. Additionally, more than half (51%) were found to have a version between five and 10 years old.

"It is perhaps not well known outside the security research community that malicious Java code can target outdated instances of Java even after the most recent version of Java has been installed on an endpoint," the report notes.

The problem is that installing a new version of Java does not always remove older versions of the software; there are sometimes redundant versions on the same endpoint.

"The [Java] updater does remove the most recently installed version; it doesn’t remove any previous ones," explained Dan Brown, lead researcher at Bit9. "This was certainly by design. If users want to 'update' their software, I can’t presume that previous versions they may have weren’t intentionally installed. For example, they could be developers testing their code against different versions. This is part of what makes Java unique; it’s not just an end-user application; it’s also a VM [virtual machine], a language, runtime, API, etc."

[Read about new flaws HD Moore discovered in a widely used protocol in, "New Gaping Security Holes Found Exposing Servers."]

Enterprise organizations continue to be behind the curve on patching Java, said Dana Tamir, director of enterprise security at Trusteer. Typically, it takes an organization between three and nine months to apply Java patches due to the extensive quality assurance testing they need to conduct before applying each patch, she added.

Were it not for the fact that hackers have been paying close attention to Java vulnerabilities, this would be less of an issue. However, Java exploits have become common pieces of exploit kits such as Blackhole, Cool and Redkit. Earlier this year, US-CERT advised the public to disable Java unless it is necessary. In response to the negative attention, Oracle has pledged to improve Java security.

Disabling Java however is not as easy for some organizations as it sounds, Brown said.

"It’s similar to the fact that it’s easy for home users to upgrade their Windows OS overnight, but it takes corporations years to plan for and implement such a move," he told Network Computing. "And many organizations rely on Java as a legacy technology, for example, for internally developed applications."

Bit9 recommends that organizations decide whether or not Java is necessary for the business. If the decision is made to remove Java, organizations should use software management tools to remove it, the company advised.


Related Reading


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers