Researcher: 50 percent of Mac OS X users still running outdated Java versions

Researcher: 50 percent of Mac OS X users still running outdated Java versions

Summary: According to a tweet posted by Aleks Gostev, 50% of the visitors to their newly launched Flashback information site, are still running outdated versions of Java.

SHARE:

According to a tweet posted by Aleks Gostev, Chief Security Expert, Global Research and Analysis Team at Kaspersky Lab, 50% of the visitors to their newly launched Flashback information site, are still running outdated versions of Java, potentially exposing themselves to numerous exploitation attempts courtesy of malicious attackers.

The cybercriminals behind the Flashback Mac OS X malware are exploiting CVE-2011-3544 and CVE-2012-0507 vulnerabilities in Java, and that's just for starters.

According to Zscaler, hundreds of thousands of enterprise users remain exposed to malicious attacks, due to the fact that they're running outdated versions of their third-party software.

Here's the summary of their findings affecting, both, Mac OS X users and Windows users:

  • Adobe Acrobat - 62.54% of out-dated plugins
  • Adobe Shockwave - 35.69% of out-dated plugins
  • Microsoft Outlook - 7.26% of out-dated plugins
  • Java - 5.88% of out-dated plugins
  • Adobe Flash - 4.37% of out-dated plugins
  • Microsoft SilverLight - 1.73% of out-dated plugins
  • QuickTime - 1.71% of out-dated plugins
  • Windows Media - 1.25% of out-dated plugins
  • RealPlayer - 0.23& of out-dated plugins

A malicious attacker targeting the Mac OS X platform, doesn't need to take advantage of zero day vulnerabilities, due to the fact that end users continue failing to patch their third-party applications and browser plugins. What's particularly interesting in the Flashback Mac OS X malware attack, is the fact that the cybercriminals behind it took advantage of the delayed patch for Java under Apple's OS. Taking into consideration the percentages of end users still using the Web with outdated third-party applications and browser plugins, multiple Flashback related campaigns could be launched relying on this fact.

Apple users, with a patch for the Java vulnerabilities currently available, there's no excuse to avoid patching as soon as possible.

Topics: Apple, Hardware, Open Source, Security, Software Development

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • This what led to all the major Windows worms of the early 2000s

    Worms like blaster, slammer and code red affected vulnerabilities that had been patched for a very long time.
    toadlife
    • RE: This what led to all the major Windows worms of the early 2000s

      [i]Worms like blaster, slammer and code red affected vulnerabilities that had been patched for a very long time.[/i]

      I thought that the absense of a software firewall also contributed to these worms. Thus, the introduction of the Windows Firewall (enabled by default) in Windows XP Service Pack 2.

      Speaking of which, OS X ships with a number of services enabled as well as a firewall that is disabled by default.
      Rabid Howler Monkey
      • You're both correct.

        The lack of firewall in Windows 2000 doesn't negate what toadlife said.
        ye
  • is that not unexpected?

    People going to their site checking about it don't know whats going on yet... while most who have patched and have everything taken care of aren't going to that site anymore. I'd of course expect more non-patched macs checking out a site about the issue than not.
    doh123
    • That sort of logical analysis is going to cut

      your career in journalism very, very shorty, my friend.
      baggins_z
      • Huh?

        Who said he was a journalist?
        Gisabun
  • Ouch......

    Looks ripe for the picking if you ask me! This is a huge problem in the Mac community and the idea that patching is optional and not really needed since Apple created the Mac "with security in mind from the the get go" so no need to worry. I would say the MacOSX commercials against Vista worked, but problem is they worked in the wrong way for the Mac and now all these users have this notion that Apple wouldn't lie to me and though technically they didn't they mislead their users since most people consider a virus just about any malicious program under the sun! Misconceptions all over the place, but thats what you deal with mostly is what people perceive and not the actual truth.
    OhTheHumanity
  • I don't have to do anything to patch. Just set it once and forget it...

    ...Under Windows that is. From XP to Vista to Seven and now (2) Windows 8 DP & CP.

    Adobe Flash and ReaderX auto updates.
    Google Chrome auto updates
    Java auto updates

    Hm, come to think of it, virtually everything already auto-updates!

    Notepad++, Firefox, SVN Tortoise, CCleaner, Defraggler, Speccy, Internet Download Manager, AnyDVD, WinMerge, WinSCP, VLC, PowerDVD-BD, cygwin, just to mention a few.

    For what doesn't, Secunia's PSI is a great tool, sniffing out what needs to be patched, then carries it out for you, automatically!

    The thoughest part was to click 'yes' to the auto-updates.

    Now what's different about other ecosystems? Lack of real apps? Just crippled apps (Crapps)?

    [i]~~~~~~~~~~
    Build a system that even a fool can use, and only a fool will want to use it.
    ~ Shaw's Principle

    It is impossible to make anything foolproof, because fools are so ingenious
    ~ Anonymous

    In the vain laughter of folly wisdom hears half its applause.
    ~ George Eliot[/i]
    WinTard
    • Hmmm

      Downside with many of them auto-updating [or notifying] is that many of them require some type of service to load first which sucks up memory and resources.
      Add IE [eventually] for updating. You are Reader X auto-updates? It checks. PowerDVD doesn't auto-update. I've never had a request in v11. Also use CCleaner and WinSCP. Never got an auto-update. Configuration setting?
      Gisabun
  • But there's a big fly in the auto patching ointment

    I ran into this situation just as this issue blew up.

    User accesses work from home. Corp using Citrix remote access setup that requires Java. Turns out Java with fixes is incompatible with Corp Citrix setup. Corp knows there is a fix but doesn't yet have a time table to implement it. So auto updating their home systems means this work from home option vanishes without warning. Ugh.

    And working from home is a really big deal in this situation. Really big.

    Now I get to show them how to turn Java on and off as needed. And I'm sure they will be diligent about doing this. Yeah. Right.
    raleighthings
    • Errr

      Doesn't this remind you a bit of some companies who can't upgrade to the latest IE because their web program doesn't function with a newer IE? I think Citrix will fix their problem waster than Apple did. :-)
      Gisabun
  • just upgrade to Linux

    it is free and safer than O$x.
    The Linux Geek
  • No patch for Leopard.

    Thus I cannot patch my PowerMac.
    ye
  • Good news: this website (http://lnk.co/ILTHN ) we has been updated and add

    Good news: this website (http://lnk.co/ILTHN ) we has been updated and add products and many things they
    abandoned their increases are welcome to visit our website. Accept cash or
    credit card payments, free transport. You can try oh, will make you satisfied.

    http://lnk.co/ILTHN

    http://lnk.co/ILTHN

    http://lnk.co/ILTHN



    sagfserdger
    xhopdsvg
  • Hmmmm.

    First. Unsure why the Zscaler decided to merge it's findings between Windows and Macs.
    Problem with Macs is that Java is generally updated by the OS and not by Sun/Oracle directly. So you could blame Apple for crawling to release an update when one was available since February for Windows and other OSs.
    On top of that, with Apple's limited support policy, those at 1.5.x and older probably won't get patched. Soon, 10.6 will join the ranks.
    Gisabun