Most enterprise networks riddled with vulnerable Java installations, report says

Most enterprise systems have more than one version of Java installed, and the vast majority of them are outdated, security firm Bit9 said

Despite the significant Java security improvements made by Oracle during the past six months, Java vulnerabilities continue to represent a major security risk for organizations because most of them have outdated versions of the software installed on their systems, according to a report by security firm Bit9.

Bit9's report was released Thursday and is based on data about Java usage collected from approximately 1 million enterprise endpoint systems owned by almost 400 organizations that use the company's software reputation service.

The data shows that Java 6 is the most prevalent major version of Java in enterprise environments, present on more than 80 percent of enterprise computers that have Java installed.

Java 6 reached the end of public support in April, and only Oracle customers with a long-term support contract will continue to receive security updates for it. Java 7, the version that is the focus of Oracle's recent security strengthening efforts, was only found on around 15 percent of endpoint systems sampled by Bit9.

Furthermore, most companies that run Java 6 on their systems don't have the latest security updates for it, the security firm found.

The most widely deployed Java version, according to Bit9's data, was Java 6 Update 20, which was installed on a little over 9 percent of endpoints. This version of Java is vulnerable to a total of 215 security issues, 96 of which have the maximum impact score on the Common Vulnerability Scoring System (CVSS) scale, Bit9 said.

The last publicly available security update for Java 6 is Java 6 Update 45, which was released in April at the same time as Java 7 Update 21, the latest version of Java available when Bit9 collected data for its report.

Only 3 percent of enterprise endpoint systems were running Java 7 Update 21, the company said. However, those endpoints belonged to only 0.25 percent of the sampled organizations, which seems to indicate that organizations with a larger number of endpoints are more likely to have the latest version of Java installed on their systems.

Another issue is that many enterprise systems have multiple versions of Java running on them. Around 65 percent of systems had more than two versions of Java installed at the same time, and approximately 20 percent had more than three versions.

According to Bit9's report, on average, organizations have more than 50 distinct versions of Java installed in their environments. About 5 percent of organizations have more than 100 versions.

This problem mainly stems from how the Java installation and updating process deals with older versions.

The Java 7 updater will attempt to remove existing installations of Java 6, but a clean installation of Java 7 won't remove older versions, said Harry Sverdlove, Bit9's chief technology officer. Java 5 versions are not removed during Java 7's installation or update processes, he said.

The Bit9 data showed that 93 percent of organizations have a version of Java on some of their systems that's at least five years old. Fifty-one percent have a version that's between five and 10 years old.

The problem with having multiple versions of Java installed at the same time on a system is that attackers can target the older and vulnerable versions to hack into that computer. Once that happens, the security of the newer Java versions doesn't help.

Code that enumerates all Java versions installed on a system for reconnaissance purposes has already been seen in real attacks, Bit9 said in the report.

Having different Java versions on a system increases usability because customers can run legacy applications, but from a security perspective it's a nightmare, Sverdlove said. Every version that is installed introduces yet another set of known vulnerabilities that attackers can target, he said.

Sverdlove compared the situation of companies running five-to-10-year-old versions of Java to running Windows 95. This practice might be convenient for compatibility reasons, but it's a horrible security risk, he said.

In most cases, this kind of Java version fragmentation inside enterprise environments is probably not even intentional, as many companies don't understand or keep track of how many versions they have installed, Sverdlove said.

First and foremost, organizations should get an assessment of what Java versions they have in their environments and where, Sverdlove said. The next step should be for them, as a matter of security policy, to stop and seriously consider whether they need Java, and if they do, for what purposes, he said.

The results of this assessment will vary among organizations, Sverdlove said. Some companies might find that a particular version of Java is needed to run legacy applications, but only on certain computers. Others might discover that certain websites that require Java work with the latest version of the software, and some might find that Java is only needed on their servers and not on desktops, he said.

Regardless of their individual Java needs, organizations should create a Java deployment policy and enforce it, Sverdlove said. If their policy is to not have Java, then they should use tools to block it from running; if they determine that they only need Java on certain machines, then they should remove it from all other machines, he said.

The most common way for hackers to attack Java installations is through the software's Web browser plug-ins by using exploits hosted on websites.

The Bit9 report did not contain specific information about how many of the Java installations identified on enterprise endpoints were accessible through the Web browsers on those computers. However, the majority of the sampled endpoint systems were desktops and laptops, so the likelihood of those Java installations being exposed to Web attacks is high, Sverdlove said.

Join the PC World newsletter!

Error: Please check your email address.

Tags securityBit9Desktop securitypatch managementmalwareOracle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?