Saturday, September 14, 2013

Is Outdated Java Lurking in Your System?

In January of 2013, Oracle announced plans to reevaluate and strengthen its security protocols. The announcement came after serious vulnerabilities were found in Java 6, coupled with widespread criticism of the company’s rigid patch release schedule.

Throughout the next six months, Oracle did, indeed, take steps to tighten their security, surprising some detractors with their commitment to the issue. Most, if not all, security improvements, however, centeron the latest version of Java, Java 7.

Unfortunately, as a recent report by security firm Bit9 makes clear, many organizations continue to use Java 6, forwhichOracle stopped providing public security updates in April of 2013. Even worse, many endpoint systems run multiple versions of Java, which allows hackers to capitalize on older vulnerabilities.

Java Usage and Version Statistics

Bit9 surveyed over 400 organizations, representing a total of over 1 million distinct endpoint systems. The survey discovered Java 6 on over 80 percent of systems. Matters got worse. The most commonly installed version of Java 6 was Java 6 Update 20, which includes a staggering 215 security issues. How far behind is this update? The last version of the software was Java 6 Update 45.

Any system using outdated versions of Java 6 is at risk of serious vulnerabilities. Whether you’re selling 1994 mustang parts or offering online cloud hosting, outdated versions of Java, or indeed any program, represents significant risk of security breaches.

Only 15 percent of endpoint systems surveyed used Java 7, and even then, were rarely up-to-date. Only 3 percent were running Java 7 Update 21, the most recent update at the time of the survey.

Multiple Versions, Multiple Vulnerabilities

Bit9 also discovered the majority of endpoint systems ran multiple versions of Java. Over 42 percent of computers had two or more versions of the software installed, while 20 percent actually included three of more versions.

The average network had an average of 50 distinct versions of Java available, indicating widespread individual decisions on when to download and update the program. In 5 percent of cases, networks presented over 100 versions.

Multiple versions of Java represent a significant security issue. Even with the latest version of Java 7 running, hackers and malware can still take advantage of vulnerabilities in older versions of Java, while users may not even be aware they remain in the system.

Cleaning Up Java Leftovers

Java 7 installation should remove any versions of Java 6, but unfortunately won’t remove Java 5 and earlier. One solution is to check for older versions prior to installation, and uninstall all versions before downloading Java 7.

Of course, when dealing with a major network, it’s difficult to ensure all computers follow this protocol. Many users keep older versions of Java installed to run legacy apps, but this convenience comes at the cost of security vulnerabilities.

Bit9 recommends companies assess their Java usage, develop policies for the use of Java and enforce those policies. If Java is not necessary for your business, block users’ ability to download the software. If some endpoints require Java, only those systems should have access to the program. And, of course, all updates should be downloaded and applied immediately.