Multiple Java versions on endpoints risky for enterprises
Posted on 22 July 2013.
Java represents a significant security risk to enterprises because it is the endpoint technology most targeted by cyber attacks, show the results of Bit9 research.

The company's threat research team analyzed Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide, and identified significant risks posed by outdated versions of Java with many known vulnerabilities that remain widely deployed by many businesses.

Among the things discovered are that:
  • The average organization has more than 50 versions of Java installed across all of its endpoints.
  • Five percent of those enterprises have more than 100 versions of Java installed.
  • Most endpoints have multiple versions of Java installed, in part because the Java installation and update process often does not remove old versions.
  • Attackers can determine what versions of Java an enterprise is running and target the oldest, most vulnerable versions.
  • The most popular version of Java running on endpoints analyzed by Bit9 is version 6 update 20, which is present on 9 percent of all systems and has 96 known vulnerabilities of the highest severity.
  • Less than 1 percent of enterprises are running the latest version of Java.
“For the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues,” said Harry Sverdlove, Bit9 chief technology officer. “

They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organizations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” said Sverdlove.

The company also discovered that it is fairly easy for attackers to target older versions of Java without the enterprise even realizing it. Eighty-two percent of the analyzed endpoints are running the version 6 series of Java, which has the most known reported vulnerabilities.

Enterprises concerned about the security risks in older versions of Java should assess how many versions of Java are running in the enterprise, decide if these older versions are needed for valid business reasons and if Java should be running in browsers, then enforce those decisions with a comprehensive security solution.

For more details about the research, download the full report (registration required).





Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals it’s our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //