Years of Java Updates have not Improved Security Vulnerabilities

A new research report published yesterday by Bit9, the leader in next-generation endpoint and server security, finds that Java represents a significant security risk to enterprises because it is the endpoint technology most targeted by cyber attacks.

The Bit9 threat research team analysed Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide. Java Vulnerabilities: Write Once, Pwn Anywhere, identifies significant risks posed by outdated versions of Java with many known vulnerabilities that remain widely deployed by many businesses.

Highlights include:

• The average organisation has more than 50 versions of Java installed across all of its endpoints.
• Five percent of those enterprises have more than 100 versions of Java installed.
• Most endpoints have multiple versions of Java installed, in part because the Java installation and update process often does not remove old versions.
• Attackers can determine what versions of Java an enterprise is running and target the oldest, most vulnerable versions.
• The most popular version of Java running on endpoints analysed by Bit9 is version 6 update 20, which is present on 9 percent of all systems and has 96 known vulnerabilities of the highest severity.

Less than 1 percent of enterprises are running the latest version of Java.

“For the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues,” said Harry Sverdlove, Bit9 chief technology officer. “They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” said Sverdlove.

Bit9’s research also discovered that it is fairly easy for attackers to target older versions of Java without the enterprise even realising it. Eighty-two percent of the endpoints analysed by Bit9 are running the version 6 series of Java, which has the most known reported vulnerabilities.

Java Vulnerabilities: Write Once, Pwn Anywhere recommends that enterprises concerned about the security risks in older versions of Java should:

• Assess how many versions of Java are running in the enterprise
• Decide if these older versions are needed for valid business reasons and if Java should be running in browsers
• Enforce those decisions with a comprehensive security solution

“It’s not surprising that most companies are unaware of all the versions of Java on their systems,” said Sverdlove. “Most organisations have no idea what’s running on their endpoints and servers—they lack visibility into those systems. And traditional security solutions—including antivirus—can’t protect them from modern threats. At Bit9 we focus on providing real-time visibility and protection for endpoints and servers to address this critical need.”

Click here to watch a video with Bit9 CTO Harry Sverdlove discussing the Java problem.

About Bit9
The Bit9 Security Platform is the only next-generation endpoint and server security solution that continuously monitors and records all activity on endpoints and servers and stops cyber threats that evade traditional security defenses. Bit9’s real-time sensor and recorder, real-time enforcement engine, and cloud-based services provide the most reliable form of endpoint and server security and deliver value within days of implementation. This combination gives organizations immediate visibility to everything running on their endpoints and servers; real-time signature-less detection of and protection against advanced threats; and a recorded history of all endpoint and server activity for deep forensics. Security teams use Bit9’s integration with network security devices such as FireEye and Palo Alto Networks to accelerate incident response and ensure all files arriving on endpoints and servers are safe. Bit9 has stopped the most advanced attacks, including Flame, Gauss, and the malware responsible for the RSA breach. One thousand organizations worldwide—from 25 Fortune 100 companies to small businesses—use Bit9 to increase security, reduce operational costs, and improve compliance.