Failure to clean up old Java is leaving enterprises vulnerable to attack

Large numbers of businesses are running outdated and insecure versions of Java and leaving themselves vulnerable to attack, a study has found.

The majority of organisations, 82 percent, are running the most vulnerable version of Java, version six, on PCs and servers within their organisation, a research report by security firm Bit9 said. According to the study, software flaws in version six of Java have a higher cumulative Common Vulnerability Scoring System rating than flaws in any other Java version.

The average enterprise has more than 50 versions of Java installed on its PCs and servers, Bit9 said, and nearly half of all computer endpoints — PCs, servers and fixed-function machines such as ATMs — are running more than two versions of Java.

The plethora of different legacy Java versions running inside enterprise IT estates is leaving businesses vulnerable to attacks via software flaws patched by the latest Java updates, the report said. Last year, Java surpassed Adobe Reader as the most exploited endpoint software in real-world attacks, according to research by security firm Kaspersky.

The blame for not removing old versions of Java from IT estates shouldn't be laid entirely at the feet of organisations, the report says, as it partly stems from the failure of Java installation and update software to remove previous versions.

"Installing a new version of Java will not always remove older versions of the software," it states.

"The fact that older major versions of Java are not removed during installation of newer versions has led to continued high prevalence of very old and vulnerable versions of Java remaining on a high percentage of endpoints."

For example, the report said running the Java update process when version 6 Update 13 is installed will remove version 6 Update 13 and install the latest version, version 7 Update 25, but it will not remove version 5 update 22 if that version was installed previously.

A good protection for businesses running multiple versions of Java is to update to the latest version of the software, currently version 7 update 25, as this will not allow users to select older versions of Java for code to be run against.

However, the report found that at the time the research was carried out fewer than one percent of organisations had upgraded to the then-latest version of Java.

"It seems reasonable to conclude that most organisations are susceptible to a large number of old vulnerabilities for which fixes are available simply due to lack of updating," the report states.

Bit9 recommends organisations should evaluate where Java is necessary and, if choosing to remove Java, should audit their software afterwards to confirm removal.

Not all Java applications are equally vulnerable to attack. According to the report, it is when Java is used as a client-side web technology, such as a browser plug-in, that it presents the greatest opportunity for exploitation.

Bit9 gathered data for the report from about one million computer endpoints running within several hundred organisations worldwide.