The reasons for this? A lack of basic security maintenance. Websense Security Labs, which conducted the study, found that close to 75% of end-users are using a Java Runtime Environment release that is more than six months out of date. Almost two-thirds of users are a year behind, and more than 50% are two years behind. A third are three years behind.
Almost a quarter of all Java end points are using a version of Java that is more than four years old.
Many of these exploits have been commoditized through the latest exploit kits, including Cool, Blackhole and Gong Da. Right now, there are six vulnerabilities being actively exploited, Websense found.
“It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%,” the company said. “That's what the bad guys do – examine your security controls and find the easiest way to bypass them.”
Simply grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers. Most browsers are vulnerable to a much broader array of well-known Java holes.
“And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered,” Websense noted.
But the problem is more complex than IT laziness. “Let's drill in and try to understand the core problem,” the company said in a blog post. “With so many vulnerabilities, it's hard to keep browsers up to date with the latest patched versions – especially because Java is updated independently from the browser. How hard is it? We decided to check.”
The company added Java version detection to its ThreatSeeker Network to get real-time telemetry about which versions of Java are actively being used across tens of millions of endpoints, and found that “Java versions are all over the map.” At the time of the study, the latest Java Runtime Environment was 1.7.17, but only about 5% of the overall mix are using it.
Solutionary meanwhile recently looked into the history of reported Java vulnerabilities since 1996 – and found an alarming growth trajectory at play. Specifically, the amount of vulnerabilities reported in February 2013 have already surpassed each month prior, and 2013 is already on its way to setting the record for most vulnerabilities reported. In the first three months of the year, the reported vulnerabilities are roughly 75% of the most embattled year on record, 2009.
“There has been a lot of time and energy spent lately on responding to matters relating to Java and the platform’s security,” Solutionary researcher Robert Jeffries, in a blog releasing the results. “My suspicion is that the problems currently facing the Java platform probably have more to do with its success than with some fundamental design error or security flaw. The recent surge in Java vulnerability submissions to the National Vulnerability Database could also be prescribed to response from the security community as awareness of the situation has matured.”
Lesson? As ever, as the popularity of a software platform increases, so does the amount of malicious attention it receives.
“History will decide if flaws such as the ones we currently face become ‘textbook’ secure-coding lessons in the future, but this will do little for us today,” Jeffries said. “ If the huge stack of vulnerabilities listed over on the website of Zero Day Initiative’s ‘Upcoming Advisories’ are any indication, 2013 is just getting warmed up.”