Most Java-enabled browsers vulnerable to widespread Java exploits, Websense says
Only 5 percent of actively used browser installations have the most up-to-date version of the Java plug-in, the vendor's data shows
IDG News Service - Most browser installations use outdated versions of the Java plug-in that are vulnerable to at least one of several exploits used in popular Web attack toolkits, according to statistics published Monday by security vendor Websense.
The company recently used its threat intelligence network, which monitors billions of Web requests originating from "tens of millions" of endpoint computers protected by its products, to detect the Java versions that are installed on those systems and are available through their Web browsers. Websense provides Web and email gateway security products for businesses, but it also has a partnership with Facebook to scan links clicked by users on the social networking site for malicious content.
The Java telemetry data gathered by Websense showed that only 5.5% of Java-enabled browsers have the most up-to-date versions of the software's browser plug-in -- Java 7 Update 17 (7u17) and Java 6 Update 43 (6u43) -- installed. These two versions were released on March 4 in order to address a vulnerability that was already being exploited in active attacks at the time.
According to Websense, an exploit for that vulnerability has since been integrated into the Cool Exploit Kit, a Web attack toolkit used by cybercriminals to launch mass drive-by download attacks that infect computers with malware when visiting compromised or malicious websites.
Cool Exploit Kit is a high-end attack toolkit that requires a subscription of $10,000 per month, so there's an argument to be made that not many cybercriminals can afford it. However, Websense's data shows that a large number of Java-enabled browser installations are also vulnerable to exploits used in much cheaper and widespread exploit kits.
For example, the company found that around 71% of Java-enabled browser installations were vulnerable to an older exploit that's currently present in four different Web attack toolkits: RedKit, CritXPack, Gong Da and Blackhole 2.0. The exploit targets a Java vulnerability called CVE-2012-4681 that was patched by Oracle in August 2012.
More than 75% of the Java-enabled browsers scanned by Websense used a Java plug-in version that was more than six months old, and nearly two-thirds used a version that was more than a year old. Users of those browsers don't benefit from the security controls introduced by Oracle in Java 7 Update 11 that prevent Java applets from running inside browsers without confirmation by default.
The data shows that when it comes to Java, zero-day attacks -- attacks exploiting vulnerabilities that were previously unknown to the public -- should not be getting all of the attention, security researchers from Websense said in a blog post.
Other security experts have said in the past that Oracle should find a way to improve the adoption rate of Java updates, possibly by offering the option of silent, automatic updates like Google or Adobe did in Chrome, Flash Player and Adobe Reader. Silent software updates are not popular in corporate environments, where patches need to be tested for compatibility and stability issues before being deployed on systems, but they would probably help reduce the fragmentation of Java versions in the consumer space if implemented.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Desktop Apps White Papers | Webcasts