Write once, pwn anywhere

Legacy Java versions leave organisations vulnerable to attack, survey finds

Chris Mayer

Bit9 say Java is the most exploited endpoint technology for a reason – with IT admins “essentially lied to” for the past 15 years.

Enterprises running older Java versions are leaving themselves exposed to cyber attackers, research has shown.

Information security vendor Bit9’s study, Java Vulnerabilities: Write Once, Pwn Anywhere notes that Java is the most exploited endpoint technology, surpassing Adobe Reader in 2012. The language’s ubiquity and pervasiveness on the web are predominantly responsible for the Java platform becoming a hacker’s paradise and is “the single most important security problem” facing enterprise today, according to Bit9.

Over one million endpoints were analysed by the company’s threat research team, with some surprising findings. The average organisation has more than 50 versions of Java across all of its endpoints, with 5% having more than 100 different iterations installed. According to Bit9, this has given attackers a window of opportunity. As the Java installation and update process doesn’t have a way removing the older versions, hackers direct their attack at the most vulnerable Java versions still present.

Bit9’s data seems to suggest that the vast majority of companies are blissfully unaware of this risk. Of those surveyed, 93% are running a version of Java that is at least 5 years old, with 42% using a version that is between 10-15 years old. While this is expected, due to the amount of Java legacy applications out there, the fact that these aren’t as well safeguarded as could be is astounding. Equally shocking is the finding that fewer than 1% of enterprises analysed run the latest version of Java.

Java 6 is comfortably the most exploited version, due to its prevalence. The most riddled Java version is Java 6, update 20, containing 96 vulnerabilities scoring a “Perfect 10” on Bit9’s meaning highly severe. 9% of all systems in the survey run this version.

Despite Oracle’s recent decision to eliminate old versions, in hope of alleviating the situation, it might be too little too late. The report also notes that some of those encountered had begun to remove Java from their environments altogether.

Java continues to be a required technology for many companies, but its ubiquity seems to be out of proportion with its current business use cases…

While Oracle appears to be making efforts to mitigate some of the issues that have brought us to where we are today, those efforts will have little impact on remediating the current situation…

Enterprises can benefit from better characterizing and understanding the applications running on the endpoints in their environment, so they can better understand the risks to those endpoints and more effectively prioritize remediation efforts.

Bit9 chief technology officer Harry Sverdlove believes that IT administrators have “essentially been lied to for the past 15 years.”

“They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading,” he explained.

“Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace.”

“As a result, most organizations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” said Sverdlove.

It’s an issue that just won’t go away for Oracle, but it is clear that better evangelism around the area is needed, to make sure companies know exactly what they are and aren’t updating. Bit9 are advising enterprises to check how many versions of Java they are running, and assess which are worth keeping around, especially within the browser.

Image courtesy of CarbonNYC

Inline Feedbacks
View all comments