Write once, pwn anywhere

Legacy Java versions leave organisations vulnerable to attack, survey finds

Chris Mayer

Bit9 say Java is the most exploited endpoint technology for a reason – with IT admins “essentially lied to” for the past 15 years.

Enterprises running older Java versions are leaving themselves
exposed to cyber attackers, research has shown.

Information security vendor Bit9’s study,
Java Vulnerabilities: Write Once, Pwn Anywhere
notes that Java
is the most exploited endpoint technology, surpassing Adobe Reader
in 2012. The language’s ubiquity and pervasiveness on the web are
predominantly responsible for the Java platform becoming a hacker’s
paradise and is “the single most important security problem” facing
enterprise today, according to Bit9.

Over one million endpoints were analysed by the
company’s threat research team, with some surprising findings. The
average organisation has more than 50 versions of Java across all
of its endpoints, with 5% having more than 100 different iterations
installed. According to Bit9, this has given attackers a window of
opportunity. As the Java installation and update process doesn’t
have a way removing the older versions, hackers direct their attack
at the most vulnerable Java versions still present.

Bit9’s data seems to suggest that the vast
majority of companies are blissfully unaware of this risk. Of those
surveyed, 93% are running a version of Java that is at least 5
years old, with 42% using a version that is between 10-15 years
old. While this is expected, due to the amount of Java legacy
applications out there, the fact that these aren’t as well
safeguarded as could be is astounding. Equally shocking is the
finding that fewer than 1% of enterprises analysed run the latest
version of Java.

Java 6 is comfortably the most exploited
version, due to its prevalence. The most riddled Java version is
Java 6, update 20, containing 96 vulnerabilities scoring a “Perfect
10” on Bit9’s meaning highly severe. 9% of all systems in the
survey run this version.

Oracle’s recent decision
to eliminate old
versions, in hope of alleviating the situation, it might be too
little too late. The report also notes that some of those
encountered had begun to remove Java from their environments

Java continues to be a required technology for many
companies, but its ubiquity seems to be out of proportion with its
current business use cases…

While Oracle appears to be making efforts to mitigate
some of the issues that have brought us to where we are today,
those efforts will have little impact on remediating the current

Enterprises can benefit from better characterizing and
understanding the applications running on the endpoints in their
environment, so they can better understand the risks to those
endpoints and more effectively prioritize remediation efforts.

Bit9 chief technology officer Harry Sverdlove
believes that IT administrators have “essentially been lied to for
the past 15 years.”

“They have been told that to improve security,
they should continuously and aggressively deploy Java updates on
all of their endpoints. Unfortunately, updating is not the same as
upgrading,” he explained.

“Until very recently, those updates have failed
to deliver the promised security upgrade because they have not
removed older, highly vulnerable versions of Java they were
intended to replace.”

“As a result, most organizations have multiple
versions of Java on their endpoints, including some that were
released at the same time as Windows 95,” said

It’s an issue that just won’t go away for
Oracle, but it is clear that better evangelism around the area is
needed, to make sure companies know exactly what they are and
aren’t updating. Bit9 are advising enterprises to check how many
versions of Java they are running, and assess which are worth
keeping around, especially within the browser.

Image courtesy of CarbonNYC

comments powered by Disqus