The vast majority of enterprise computers are susceptible to new Java exploits because these machines are still running older versions of the popular general-purpose, object-oriented computer programming language, according to computer security software maker Websense Inc.
By Websense’s estimates as many as 93 per cent of enterprise organizations are vulnerable to Java exploits. Nearly 50 per cent of enterprise traffic used a Java version that was more than two years out of date, according to firm’s recent research data.
“New Java exploits, CVE-2013+2473 and CVE-2013-2463 are already making a big impact by targeting computers running outdated versions of Java,” the company said in a recent statement. “it’s clear the cybercriminals know there is a Java update problem for many organizations.”
Websense carried out an in-depth analysis throughout August this year across multiple verticals and industries. The company surveyed millions of real-world Web requests for Java usage through its global ThreatSeaker Intelligence Cloud.
Among its key findings were:
- Only 19 per cent of enterprise Windows-based computers run the latest version of Java (7u25)
- More than 40 per cent of enterprise Java requests are for browsers still using Java 6. As a result, more than 80 per cent of Java requests are susceptible to the new Java exploits CVE-2013+2473 and CVE-2013-2463
- As many as 83.86 per cent of enterprise browsers have Java enabled
- Nearly 40 per cent of users are not running the latest version of Flash
On the positive side, Websense said Java request went down to 40 per cent in August from 70 per cent earlier this year.
In January, the United States Department of Homeland Security urged computer users to disable Java plug-ins in their browsers because of a major vulnerability.
Around that time it was also reported that an emergency security update to Java 7 had failed to patch two new vulnerabilities and Oracle Corp.’s ability to ensure the security of Java was called into question by some analysts.
Websense also found out that nearly 25 per cent of Flash installations are more than six months old. Close to 20 per cent of Flash installations are outdated by a year, and about 11 per cent are out of date by two years.
The security company also said that its ThreatSeaker Intelligence Cloud detected an uptick in new hosts running the Neutrino exploit kit. Typically associated with ransomware payloads, Neutrino is best known for its easy-to-use control panels and ability to evade antivirus (AV) and intrusion prevention systems (IPS).
Websense said the spike could be attributed to the addition of Java-based code execution exploits to Neutrino.
“Forty per cent of Java 6 users are vulnerable to these new exploits and there are no software patches in sight,” said Websense, “Effective exploit kit delivery systems such as Neutrino, and unpatched vulnerabilities targeting Java 6 create a significant challenge to organizations that have not updated to Java 7.”