The latest Java security research from Websense shows that as of last month, only 19% of enterprise Windows-based computers ran the latest version of Java (7u25). More than 40% of enterprise Java requests are from browsers still using outdated Java 6. As a result, more than 80% of Java requests are susceptible to two popular new Java exploits: CVE-2013-2473 and CVE-2013-2463.
These two are already making a big impact by targeting computers running outdated versions of Java,” said Websense researchers, via the company blog. “It's clear the cybercriminals know there is a Java update problem for many organizations.”
Notably, the first two weeks of August saw an uptick in new hosts running the Neutrino exploit kit. Typically associated with ransomware payloads, Neutrino is best known for its easy-to-use control panel and features that evade anti-virus and IPS systems. The uptick coincides with Neutrino’s addition of Java-based code execution exploits including CVE-2013-2463, which is based on AWT/2D vulnerabilities and affects all Java 6 users – because there is no patch for that version.
“Effective exploit kit delivery mechanisms, such as Neutrino, and unpatched vulnerabilities targeting Java 6 create a significant challenge for organizations that have not updated to Java 7,” the company noted.
On the positive side, Websense’s updated numbers show that enterprise IT is pushing out more Java updates. Earlier this year, 70% of Java requests came from Java 6 users. That figure has decreased to 40%. And the results are better than the last research, from March, which found that 93% of enterprises were vulnerable to known Java exploits, and nearly 50% of enterprise traffic used a Java version that was more than two years out of date.
“Recent high profile attacks have again firmly established the trend that Java should be viewed as a security risk,” said Carl Leonard, senior security research manager for EMEA at Websense, in an emailed comment to Infosecurity. “Java has become a primary gateway for hackers to enter today’s businesses and it’s vulnerabilities are being commoditzed in the latest exploit kits.”
In all, 83.86% of enterprise browsers have Java enabled, the research found, so these types of stats are critical to consider when it comes to the security threat landscape. But Websense also warned that IT departments shouldn’t forget about Adobe Flash.
“Remember, just a few years ago, Flash was a primary attack vector,” the company said. “Nearly 40% of users are not running the most up-to-date versions of Flash.” Also, nearly 25% of Flash installations are more than six months old, close to 20% are outdated by a year and nearly 11% are two years old.
There are headaches for IT in remedying the issue: In the last three months, five security patches have been released for Flash, and that number leaps to 26 over the course of the last year.
“This is exactly why real-time security models are absolutely essential,” the company explained. “Even the best patch management and traditional security tools simply cannot keep up with the ongoing barrage of zero-day attacks and exploit kits being created.”