New Java and Flash Research Shows a Dangerous Update Gap

Today we're continuing our Java security research series by analyzing other plug-ins, browser extensions and rich internet applications that are commonly exploited.

Our previous research indicated that the current state of Java affairs isn't pretty. At that time, ninety-three percent of enterprises were vulnerable to known Java exploits. Nearly 50 percent of enterprise traffic used a Java version that was more than two years out of date. Through Websense ThreatSeeker Intelligence Cloud analysis we now discover:

• Only 19 percent of enterprise Windows-based computers ran the latest version of Java (7u25) between August 1-29, 2013.
• More than 40 percent of enterprise Java requests are from browsers still using outdated Java 6. As a result, more than 80 percent of Java requests are susceptible to two popular new Java exploits: CVE-2013-2473 and CVE-2013-2463.
• 83.86 percent of enterprise browsers have Java enabled.
• Nearly 40 percent of users are not running the most up-to-date versions of Flash.
• In fact, nearly 25 percent of Flash installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old.

Our in-depth analysis ran for one month, across multiple verticals and industries. We surveyed millions of real-world web requests for Java usage through our global Websense ThreatSeeker Intelligence Cloud.

Visit the Websense Security Labs blog for more information on new Java exploits, the Neutrino exploit kit and Flash updates.