I like my Java straight; no cream, no exploits… (Part I)

Java is a difficult beast that is causing a lot of consternation in CTO, CIO and CSO offices. Mitigating Java risk, including disabling Java, is easier said than done in today’s business world. Java is embedded into critical business applications, which enable organizations to stay competitive. Unfortunately Java zero-days and vulnerabilities allow bad guys to constantly pwn computers. This is precisely why over the past few months the Websense Security Labs researched and documented the gravity of the Java security risk.

Our initial research reviewed real-time telemetry collected from the Websense ThreatSeeker Intelligence Cloud to determine which versions of Java are actively used across tens of millions of endpoints. The results of our research were frightening to say the least.

Websense Security Labs Research: Java Vulnerabilities

So how pervasive is the Java threat? Real-world network traffic showed that, of network computers using Java to access information on the web, 93 percent were vulnerable to known Java exploits. To follow up on this initial research, Websense Security Labs investigated how quickly businesses update Java to patch against known vulnerabilities. When Java introduced an update on April 16th, we again tracked real-world web requests to document Java version usage.

As the graph shows, the results of our research indicate that the Java patch management process is woefully slow. After a full week, the average adoption of the newest version of Java was at less than three percent. After two weeks, the trend line had moved to a little over four percent. And after a month, close to seven percent were using the most recent version of Java.

Even more frightening was the fact that:

• More than 75 percent of the computers used Java versions more than six months old.
• Nearly two-thirds were more than a year out of date.
• And more than 50 percent of browsers were greater than two years behind the times with respect to Java vulnerabilities.

Take a look at the control panel for any crime kit and you’ll see that Java exploits are one of the most successful gateways into an organization to infect machines and steal sensitive data.

So if roughly 10 percent of enterprises or less are proactively managing known critical Java vulnerabilities through patch management and version control, what security measures are the other 93 percent relying on to protect their systems from compromise and data theft?

Stay tuned

In a series of upcoming blog posts, we will be looking at this issue, and more, including:

• Why is it so hard to manage Java on an enterprise level?
• Best practices to remediate Java risk
• A brief foray into the world of Java versus javascript (and their collected associated risks)
• Why Java is targeted (no, you can’t just blame it on poor coding; we are going to look at where Java plays within the Seven Stages of Advanced Threats)
• Finally, we’ll take a look at risks associated with other plugins, extensions and programs that function in a manner similar to Java

Stay tuned to this blog for more information. In the interim, feel free to listen to our archived Java risk webcast to catch up on some of our recent research to be ready for more discussion.