Failure to clean up old Java is leaving enterprises vulnerable to attack

Failure to clean up old Java is leaving enterprises vulnerable to attack

Summary: Most enterprises are running legacy versions of Java in their IT estates that are leaving them open to attack.

TOPICS: Security

Large numbers of businesses are running outdated and insecure versions of Java and leaving themselves vulnerable to attack, a study has found.

The majority of organisations, 82 percent, are running the most vulnerable version of Java, version six, on PCs and servers within their organisation, a research report by security firm Bit9 said. According to the study, software flaws in version six of Java have a higher cumulative Common Vulnerability Scoring System rating than flaws in any other Java version.

The average enterprise has more than 50 versions of Java installed on its PCs and servers, Bit9 said, and nearly half of all computer endpoints — PCs, servers and fixed-function machines such as ATMs — are running more than two versions of Java.

The plethora of different legacy Java versions running inside enterprise IT estates is leaving businesses vulnerable to attacks via software flaws patched by the latest Java updates, the report said. Last year, Java surpassed Adobe Reader as the most exploited endpoint software in real-world attacks, according to research by security firm Kaspersky.

The blame for not removing old versions of Java from IT estates shouldn't be laid entirely at the feet of organisations, the report says, as it partly stems from the failure of Java installation and update software to remove previous versions.

"Installing a new version of Java will not always remove older versions of the software," it states.

"The fact that older major versions of Java are not removed during installation of newer versions has led to continued high prevalence of very old and vulnerable versions of Java remaining on a high percentage of endpoints."

For example, the report said running the Java update process when version 6 Update 13 is installed will remove version 6 Update 13 and install the latest version, version 7 Update 25, but it will not remove version 5 update 22 if that version was installed previously.

A good protection for businesses running multiple versions of Java is to update to the latest version of the software, currently version 7 update 25, as this will not allow users to select older versions of Java for code to be run against.

However, the report found that at the time the research was carried out fewer than one percent of organisations had upgraded to the then-latest version of Java.

"It seems reasonable to conclude that most organisations are susceptible to a large number of old vulnerabilities for which fixes are available simply due to lack of updating," the report states.

Bit9 recommends organisations should evaluate where Java is necessary and, if choosing to remove Java, should audit their software afterwards to confirm removal.

Not all Java applications are equally vulnerable to attack. According to the report, it is when Java is used as a client-side web technology, such as a browser plug-in, that it presents the greatest opportunity for exploitation.

Bit9 gathered data for the report from about one million computer endpoints running within several hundred organisations worldwide.

Topic: Security


Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • more likely

    a failure to alocate funds for the upgrade by bean counters CFOs.
    The Linux Geek
    • Update Code

      If the original code use a now deprecated "feature" then a new verison of Java will at somepoint break the app. Money must be set aside to update the older code.
    • Hey guess what? The latest java runtimes also

      leave enterprises vulnerable to attacks. There's no point. A couple weeks later the net will be bustling with new zero days for sale. The only secured Java is an uninstalled Java. Online banking, video sites, and what not don't require it anymore. Uninstall it, you won't miss it.
      Johnny Vegas
      • You seemed to miss the point.

        Inside of enterprises it's not the web surfers who are the issue, it's the server side software, the ATM networks, the desktop app written in Java "because it was sold as the way to save money" 10 years ago, and on and on and on.

        If you're Met Life and have 10,000 people processing claims using a DB application written in Java with client side Java code also a part of the mix, "just say no" means closing the doors.
  • Java updates don't work good to begin with

    Just upgraded version 6 r12, to 7 r25. Update still doesn't remove the older version. You have to manually remove them yourselves, which is a nightmare to IT services having to manage so many machine.

    On top of that the JAVA BHO and add-ons for internet explorer keep the older copies, albeite inactive but still there.
    • The uninstall removes the Java BHO.... just doesn't unregister the DLL's in the registry. I created a script to fix this. I keep it on a USB thumbdrive.
      • And how does someone like Chase Bank

        Deal with this on their ATM network? Sent out a teller with a USB stick to open up the machine and run some scripts?
  • This article could have been more helpful

    This article would have been more helpful if it had spend a couple paragraphs on a proper resolution.
    • Here's the resolution:

      1) If you don't use Java, get rid of it off all of your machines. I shouldn't need to say why it's important to rid yourself of unnecessary software that increases attack vectors.
      2) If you use Java with version-independent code: use patch management software to update your machines. System Center software will do this already. You can also use tools from Secunia to help. If you don't have central patch management software for a corporate network environment, WHAT IS WRONG WITH YOU!?
      3) If you use Java with version-dependent code: update your code, or isolate application systems behind a corporate VPN and don't allow them to have unfettered network or Internet access. This is Legacy Systems 101. Consider the risks of running software code that is out of support, and the cost of development to properly secure the computing environment.

      Here's a tip: consider running outdated applications on dedicated "appliance" servers instead of general systems that run multiple applications. Look at embedded options that may extend the support lifecycle. Related note: XP Embedded will be supported until January 2016. Consider running XP-only desktop apps in a stripped down XP Embedded environment that reduces your attack vector and still includes support.
  • Migration

    What is the cost of migrating from Java 6 to Java 7?

    The last time I tried updating a JBoss and Websphere server, the apps failed.

    People who come from simple Java shops do not realise the following.

    There are thousands of servers that need certification/qualification, due to running financial/banking app services as well as federal govt mandated requirements. Recent Obamacare has added further burden the system qualification.

    Someone commented here that bean counters had not allocated the money to perform the upgrade. For many institutions, funding is the least of worries. Do you have any idea about the implications to totally requalify/recertify all the apps/services running on a server?
    Cynthia Avishegnath
  • Update Code is correct

    And sometimes it is hundreds of apps with thousands of different users. And sometimes these users need multiple versions because they use different apps. It is a very complex issue in larger organizations and simpleton solutions like "just remove it" will cause more problems than they will solve. Shutting down large portions of your business is not a solution.