A report by Bit9 explains that it is not simply the ubiquity of Java that is the problem, it is the failure of companies to control their Java installations. According to the report, the average organization has more than 50 versions of Java installed across its user base – and one in twenty companies have more than 100 versions. This is partly because installing a new version does not automatically remove the old version – but the effect is that attackers can determine and attack the oldest and most vulnerable version.
Furthermore, patching is not the same as upgrading; and companies are still failing in both areas. Eighty-two percent of companies still use Java 6, which is the version with the most known reported vulnerabilities.
Harry Sverdlove, Bit9's CTO, explained the problems. “For the past 15 years or so," he said, "IT administrators have been under the misperception that updating Java would address its security issues. They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints." But, he added, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed the older, highly vulnerable versions of Java they were intended to replace. "As a result," explained Sverdlove, "most organizations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95."
Bit9 recommends that companies should take an inventory of all Java versions installed across the company; determine whether the older versions are actually needed, and whether any is needed in the browser at all; and then actually enforce those decisions. "Many enterprises appear to be choosing to remove Java from their environments," concludes the report, "and the facts in this report underscore the rationale for doing so."
With perfect timing and additional irony, Polish Java researcher Adam Gowdiak has reported his latest vulnerability discovery: but this time it's an old attack possible in the latest version. Yesterday he announced on the Full Disclosure mailing list, it is "possible to implement a very classic attack against Java VM. What's in particular interesting is that the attack itself has been in the public knowledge for at least 10+ years."
In a scathing attack against Oracle, he explained, "We discovered yet another indication that new Reflection API introduced into Java SE 7 was not a subject to a thorough security review (if any). [The flaw is] one of those risks one should protect against in the first place when new features are added to Java at the core VM level."