A new finding by Websense Security Labs has shed some light on why Java is such a popular target for hackers looking to compromise computers. According to Web browser data filtered through the company’s security engine, almost 75 percent of users are using a Java Runtime Environment (JRE) release that is more than six months out of date.
As a security vendor that provides Web and email gateway security products for businesses, Websense does have a large pool of computers to start off with. In addition, PC World noted that Websense also has a partnership with Facebook to scan links posted on the social networking site for malicious content. As you can imagine, this allows header data from literally tens of millions of endpoints to be examined for this study.
What’s more, another two-thirds of users were found to be a year behind; about 50 percent are a distant two years behind, says Websense. Indeed, just 5.5 percent of Java-enabled browsers have the most up-to-date versions of the software’s browser plug-in two weeks after its March 4 release. For non-system or security administrators, this would be Java 7 Update 17 (7u17) and Java 6 Update 43 (6u43), which were released to resolve a vulnerability that was being actively exploited by hackers.
This means that 9 out of 10 computers with Java installed can be compromised should users click on the wrong link, or visit legitimate websites that have been hacked to incorporate the malicious code. The threat is all the more real thanks to the security flaws’ incorporation into at least one Web attack toolkit used by cybercriminals to conduct mass drive-by download attacks.
The implication from the telemetry is clear: For all the talk about zero-day Java exploits, the elephant in the room for solving the plague of Java-exploiting malware entails installing the latest security updates from Oracle. And based on the statistics, it is clear that users left to their own devices have a near-certain chance of simply ignoring new Java updates.
Of course, the other option for smaller businesses would be to do away with Java entirely by uninstalling it, a move that I advocated in a Small Business Computing post here. Unlike enterprises that may have built extensive Web services or custom tools that require the use of Java, SMBs are far more likely to get along fine without it.