Researchers find Java users woefully tardy on patching

Java has been a jackpot for hackers in recent months and an analysis of its users released Tuesday suggests why that's so.

More than 50 percent of Java users are running a version of the program that's more than two years old, according to the analysis based on more than one billion endpoints monitored by Websense Security Lab.

Morover, 75 percent of all users are running a version that's six months old or older.

Although Oracle has scheduled a critical security update for Java on June 18, it's unlikely that there'll be a rush to install it, since 93 percent of the program's users have yet to install the last critical security update issued April 16.

Antivirus software maker Avast had similar findings when it surveyed its users in March. Only four percent of them had the most up to date version of Java, noted Avast CTO Ondrej Vlcek.

"You'd expect the consumer segment to be worse than the enterprise, but we didn't expect four percent," he said in an interview.

Oracle did not respond to a request for comment for this story.

While it may puzzle the security community why an organization wouldn't want to keep its software up to date to avoid getting hacked, some companies don't see things that way.

"A lot of corporate networks have internal apps that are dependent on certain versions of Java, and they've been broken through patches," Websense Security Lab marketing manager Bob Hansmann told CSO.

"So a lot of this is intentional," he said, "[Alot] of it is by design, but it does create a huge exposure."

[Also see: Oracle's Java security improvements don't quite satisfy]

Oracle's updating procedure in corporations can also be a barrier to prompt patching, said Ross Barrett, a senior manager of security engineering at Rapid7.

"When the Java updater runs, it can require administrator privileges," he said. "A lot of organizations aren't going to give those kinds of credentials to their average users."

"That means someone from IT has tointeract with the system to apply the patch, which is just time consuming and inefficient," Barrett said.

Many local users who do have the power to update Java won't do it when prompted to do so. "The average end user in finance or marketing will think security told me not to click on things so I won't do it," Barrett said. "Even organizations that rely on Java don't have a corporate wide patching solution in place that supports Java."

With only about seven percent of the systems using Java keeping their updates current, it's easy for online marauders to take advantage of the many vulnerabilities in Java that have been around forever, he explained.

Even short delays in upgrading systems can be costly to a company. That's because a bad app can act very quickly. "More than half the malware out there will communicate with its Internet control within 60 seconds of infection," Hansmann said.

In the past, malicious program would wait until the wee hours of the morning to communicate with their overlords, but there are so many applications on a computer nowadays polling the Net for information and updates that delays are no longer necessary. "They don't have to wait," he said. "They can get lost in all the chatter."

If companies need to use old copies of Java with known vulnerabilities, Hansmann recommended they at least take an inventory of where they're using Java. "Do they really need it on all their systems?" he asked.

Read more about application security in CSOonline's Application Security section.

Tags OraclejavasoftwareapplicationswebsensepatchingAccess control and authenticationData Protection | Application SecurityAvastJava patch

Show Comments