37 percent of users browsing the Web with insecure Java versions

37 percent of users browsing the Web with insecure Java versions

Summary: Researchers from CSIS have monitored 50 different exploit kits, and found out that 31.3 % of users were infected with the virus/malware due to missing security updates.

SHARE:

Over a period of three months, researchers from CSIS have monitored 50 different exploit kits on 44 unique servers, and found out that 31.3 % were infected with the virus/malware due to missing security updates.

In particular, users were running outdated versions of specific applications and browser plugins. Java JRE accounted for 37 percent of the most vulnerable applications, followed by Adobe Reader/Acrobat with 32 percent and Adobe Flash with 16 percent.

Common vulnerabilities exploited by cybercriminals in their web malware exploitation kits include:

CVE-2010-1885 Microsoft Help & Support HCP CVE-2010-1423 Java Deployment Toolkit insufficient argument validation CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll CVE-2009-0927 Adobe Reader Collab GetIcon CVE-2008-2992 Adobe Reader util.printf CVE-2008-0655 Adobe Reader CollectEmailInfo CVE-2006-0003 IE MDAC CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

Go through related posts:

Verify your Java version here, ensure that all of your plugins and software applications are up to date in order to mitigate the risks posed by the existence of web malware exploitation kits.

Topics: Open Source, Browser, Software Development

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • RE: 37 percent of users browsing the Web with insecure Java versions

    Now that is funny, I didn't realize there was a secure version of Java or flash for that matter!
    slickjim
    • RE: 37 percent of users browsing the Web with insecure Java versions

      @Peter Perry There isn't, but with hourly updates on both there very well might be soon.
      Net-Tech_z
  • The underpinnings are the key to vulnerabilities

    Tireless debates about "which is the most secure OS" are rendered meaningless when it is the smallest component that is subject to the greatest vulnerabilities. Sandboxing and kernel isolation are only workarounds to the fundamental problems of complex systems.
    Your Non Advocate
  • hmmm ...

    ... why am i not surprised that, combined, 85% of the vulnerabilities are made up of Java vulnerabilities and Adobe application / product vulnerabilities?<br><br>This data *has to* fall under the category <i>"I.T's Worst kept Security Vulnerability Secrets"</i>.
    thx-1138_
  • No wonder, Java doesn't even update itself

    The supposed Java update which pops up monthly has never worked for me. The update always fails. Reason? The updater only works if you are running as an Administrator, and of course I run as a Local User by default. So the updater fails. At some point, you give up on the shenanigans and just want to make the popup go away. So Java stays outdated until you go well out of your way to update it.
    ZStoner
    • Blame it on the IT admininstrator!

      @ZStoner - Exactly my point too. Our IT admins ensure that all the M$ security updates are installed on our machines but they turn a blind eye to almost everything else. The auditors don't bother about non-M$ security updates.
      dexter_greycells
  • It would be a nice fix

    If java installer uninstalled old versions of java before installing the new one.
    Windows seems to like using the old version even after the new version is installed.
    zmud
  • RE: 37 percent of users browsing the Web with insecure Java versions

    Java JRE is a cancer, period. Nothing good comes from having it installed.
    The one and only, Cylon Centurion
  • RE: 37 percent of users browsing the Web with insecure Java versions

    Re: Verify your Java version: Get an error trying to run installed.js: "debug" not defined.
    LotisDigital