Enterprises are still ignoring the threat posed by out-of-date versions of Java, with barely one in five running the latest version during August, security firm Websense has reported.
After running traffic through the firm’s ThreatSeeker Intelligence Cloud, an incredible 40 percent of Java requests were found to be from Java 6 Standard Edition(SE), succeeded by Java 7 SE more than two years ago. Java 6 support ended in April 2013.
Some might have continued to run this for compatibility reasons for a time, but ignoring the issue would now be leaving them open to a range of serious exploits.
The general tendency not to update meant that 81 percent of browsers were now vulnerable to two recent vulnerabilities in particular, CVE-2013-2473 and CVE-2013-2463 from June this year, for which there were working exploits, Websense said.
Overall, Java remains popular among enterprise users, Websense found, with 84 percent of browsers and clients enabling it. One positive trend was that IT departments had at least increased the level of updates to Java 7.
“Java has become a primary gateway for hackers to enter businesses and it’s vulnerabilities are being commoditised in the latest exploit kits,” said Websense senior research manager EMEA,Carl Leonard.
“It is clear the cybercriminals know there is a Java update challenge for many organisations and thus they focus on exploits targeting both new and older versions of the technology.”
Flash, too, remains an issue in many firms, with 40 percent of users not running the latest version, Websense found. Twenty-five percent of installations were more than six months old, 20 percent around a year old and one in ten two years old.
The Websense findings concur with the general picture offered by every other survey on the subject of updating. In July, Bit9 discovered much the same poor levels of updating, with Java 6 still very popular and usage levels just over 80 percent for Java as a whole.