Researchers find Java users woefully tardy on patching

Java has been a jackpot for hackers in recent months and an analysis of its users released Tuesday suggests why that's so.

More than 50 percent of Java users are running a version of the program that's more than two years old, according to the analysis based on more than one billion endpoints monitored by Websense Security Lab.

Morover, 75 percent of all users are running a version that's six months old or older.

Although Oracle has scheduled a critical security update for Java on June 18, it's unlikely that there'll be a rush to install it, since 93 percent of the program's users have yet to install the last critical security update issued April 16.

Antivirus software maker Avast had similar findings when it surveyed its users in March. Only four percent of them had the most up to date version of Java, noted Avast CTO Ondrej Vlcek.

"You'd expect the consumer segment to be worse than the enterprise, but we didn't expect four percent," he said in an interview.

Oracle did not respond to a request for comment for this story.

While it may puzzle the security community why an organization wouldn't want to keep its software up to date to avoid getting hacked, some companies don't see things that way.

"A lot of corporate networks have internal apps that are dependent on certain versions of Java, and they've been broken through patches," Websense Security Lab marketing manager Bob Hansmann told CSO.

"So a lot of this is intentional," he said, "[Alot] of it is by design, but it does create a huge exposure."

[Also see: Oracle's Java security improvements don't quite satisfy]

Oracle's updating procedure in corporations can also be a barrier to prompt patching, said Ross Barrett, a senior manager of security engineering at Rapid7.

"When the Java updater runs, it can require administrator privileges," he said. "A lot of organizations aren't going to give those kinds of credentials to their average users."

"That means someone from IT has tointeract with the system to apply the patch, which is just time consuming and inefficient," Barrett said.

Many local users who do have the power to update Java won't do it when prompted to do so. "The average end user in finance or marketing will think security told me not to click on things so I won't do it," Barrett said. "Even organizations that rely on Java don't have a corporate wide patching solution in place that supports Java."

With only about seven percent of the systems using Java keeping their updates current, it's easy for online marauders to take advantage of the many vulnerabilities in Java that have been around forever, he explained.

Even short delays in upgrading systems can be costly to a company. That's because a bad app can act very quickly. "More than half the malware out there will communicate with its Internet control within 60 seconds of infection," Hansmann said.

In the past, malicious program would wait until the wee hours of the morning to communicate with their overlords, but there are so many applications on a computer nowadays polling the Net for information and updates that delays are no longer necessary. "They don't have to wait," he said. "They can get lost in all the chatter."

If companies need to use old copies of Java with known vulnerabilities, Hansmann recommended they at least take an inventory of where they're using Java. "Do they really need it on all their systems?" he asked.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchingapplicationsJava patchAvastAccess control and authenticationjavasoftwaredata protectionOraclewebsenseData Protection | Application Securitysecurity

More about AvastCSOOracleRapid7Websense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts