Most Java-enabled browsers vulnerable to widespread Java exploits, Websense says
Only 5 percent of actively used browser installations have the most up-to-date version of the Java plug-in, the vendor's data shows
IDG News Service - Most browser installations use outdated versions of the Java plug-in that are vulnerable to at least one of several exploits used in popular Web attack toolkits, according to statistics published Monday by security vendor Websense.
The company recently used its threat intelligence network, which monitors billions of Web requests originating from "tens of millions" of endpoint computers protected by its products, to detect the Java versions that are installed on those systems and are available through their Web browsers. Websense provides Web and email gateway security products for businesses, but it also has a partnership with Facebook to scan links clicked by users on the social networking site for malicious content.
The Java telemetry data gathered by Websense showed that only 5.5% of Java-enabled browsers have the most up-to-date versions of the software's browser plug-in -- Java 7 Update 17 (7u17) and Java 6 Update 43 (6u43) -- installed. These two versions were released on March 4 in order to address a vulnerability that was already being exploited in active attacks at the time.
According to Websense, an exploit for that vulnerability has since been integrated into the Cool Exploit Kit, a Web attack toolkit used by cybercriminals to launch mass drive-by download attacks that infect computers with malware when visiting compromised or malicious websites.
Cool Exploit Kit is a high-end attack toolkit that requires a subscription of $10,000 per month, so there's an argument to be made that not many cybercriminals can afford it. However, Websense's data shows that a large number of Java-enabled browser installations are also vulnerable to exploits used in much cheaper and widespread exploit kits.
For example, the company found that around 71% of Java-enabled browser installations were vulnerable to an older exploit that's currently present in four different Web attack toolkits: RedKit, CritXPack, Gong Da and Blackhole 2.0. The exploit targets a Java vulnerability called CVE-2012-4681 that was patched by Oracle in August 2012.
More than 75% of the Java-enabled browsers scanned by Websense used a Java plug-in version that was more than six months old, and nearly two-thirds used a version that was more than a year old. Users of those browsers don't benefit from the security controls introduced by Oracle in Java 7 Update 11 that prevent Java applets from running inside browsers without confirmation by default.
The data shows that when it comes to Java, zero-day attacks -- attacks exploiting vulnerabilities that were previously unknown to the public -- should not be getting all of the attention, security researchers from Websense said in a blog post.
Other security experts have said in the past that Oracle should find a way to improve the adoption rate of Java updates, possibly by offering the option of silent, automatic updates like Google or Adobe did in Chrome, Flash Player and Adobe Reader. Silent software updates are not popular in corporate environments, where patches need to be tested for compatibility and stability issues before being deployed on systems, but they would probably help reduce the fragmentation of Java versions in the consumer space if implemented.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts