Most enterprise networks riddled with vulnerable Java installations
Most enterprise systems have more than one version of Java installed, and the vast majority of them are outdated, security firm Bit9 said
IDG News Service - Despite the significant Java security improvements made by Oracle during the past six months, Java vulnerabilities continue to represent a major security risk for organizations because most of them have outdated versions of the software installed on their systems, according to a report by security firm Bit9.
Bit9's report was released Thursday and is based on data about Java usage collected from approximately 1 million enterprise endpoint systems owned by almost 400 organizations that use the company's software reputation service.
The data shows that Java 6 is the most prevalent major version of Java in enterprise environments, present on more than 80 percent of enterprise computers that have Java installed.
Java 6 reached the end of public support in April, and only Oracle customers with a long-term support contract will continue to receive security updates for it. Java 7, the version that is the focus of Oracle's recent security strengthening efforts, was only found on around 15 percent of endpoint systems sampled by Bit9.
Furthermore, most companies that run Java 6 on their systems don't have the latest security updates for it, the security firm found.
The most widely deployed Java version, according to Bit9's data, was Java 6 Update 20, which was installed on a little over 9 percent of endpoints. This version of Java is vulnerable to a total of 215 security issues, 96 of which have the maximum impact score on the Common Vulnerability Scoring System (CVSS) scale, Bit9 said.
The last publicly available security update for Java 6 is Java 6 Update 45, which was released in April at the same time as Java 7 Update 21, the latest version of Java available when Bit9 collected data for its report.
Only 3 percent of enterprise endpoint systems were running Java 7 Update 21, the company said. However, those endpoints belonged to only 0.25 percent of the sampled organizations, which seems to indicate that organizations with a larger number of endpoints are more likely to have the latest version of Java installed on their systems.
Another issue is that many enterprise systems have multiple versions of Java running on them. Around 65 percent of systems had more than two versions of Java installed at the same time, and approximately 20 percent had more than three versions.
According to Bit9's report, on average, organizations have more than 50 distinct versions of Java installed in their environments. About 5 percent of organizations have more than 100 versions.
This problem mainly stems from how the Java installation and updating process deals with older versions.
The Java 7 updater will attempt to remove existing installations of Java 6, but a clean installation of Java 7 won't remove older versions, said Harry Sverdlove, Bit9's chief technology officer. Java 5 versions are not removed during Java 7's installation or update processes, he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts