Java-based attacks remain at large, researchers say

Java-based attacks remain at large, researchers say

Summary: Just how are Java attacks getting through?

TOPICS: Security, Malware, Oracle

A new Websense report suggests that approximately 94 percent of endpoints which run Oracle's Java are vulnerable to at least one exploit, and we are ignoring updates at our own peril. 

According to security researchers at Websense, it's not just zero-day attacks which remain a persistent threat. Instead, Java exploits are now a popular tool for cybercriminals.

With so many vulnerabilities, keeping browsers up-to-date can become an issue — especially as Java has to be updated independently from our preferred browser, and a mobile, cross-browser workforce is difficult to manage securely. Keeping this in mind, the security team used their Advanced Classification Engine (ACE) and ThreatSeeker Network to both detect and analyze in real-time which versions of Java are currently in use across "tens of millions" of endpoints.

The researchers found that the latest version of Java, version 1.7.17, is only in use by a dismal five percent of users, and many versions are months or years out of date — just begging to be exploited.

4621.Java Users - graph with release dates2.jog
Global distribution of Java Runtime Environment versions based on active browser usage. [click to enlarge]

Within the digital attack space, crimeware kits — which can be purchase for as little as $200 — often come supplied with Java-based exploits. The researcher's breakdown of vulnerabilities which have exploit kits available to attack them are thus:


The most widely-detected version of Java currently in use is version 1.6.16. Over 75 percent of browsers are using Java versions which are at least 6 months old, whereas nearly two-thirds are a year out of date, and 50 percent of Java versions in use are over two years behind the times in respect to Java vulnerabilities.

All in all, the researchers say that the vulnerable population of browsers is pegged at a staggering 93.77 percent.

Time to update, folks.

Charles Renert, vice president of Websense Security Labs told Security Week:

"Controls like patch management cannot eliminate risk exposure; they can only reduce risk to what you already know. Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kinds of vectors is on the rise.

Rather than looking to update a single object or signature at a single point in time, companies must review the entire threat lifecycle and examine multiple opportunities to disrupt attacks."

Topics: Security, Malware, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Huge unnecessary vulnerability

    My guess is 90% of that 94% has no need for either Java or the Java plug-in.
    • Not so!

      When simple things like a mortgage or auto loan calculator requires java to run... Know any computer owner without a need for a bank account and loan? That is practically everyone! I'd say your statement is toothless! Java is part of many other things most folks don't realize it is even running.

      Fix it already!
      • It depends...

        I'd say your statement is quite sweeping too...
        For me personally, I'm lucky enough to not need java 99% of the time.

        I find I rarely need it for the sites I go to - none of the banking sites I use require it, nor do any other sites I use regularly - Flash on the other hand is a different story (though the banking sites I use don't use Flash either - just javascript - maybe some server side java pages, but they don't require java on my end).

        For me, java in my browsers is something that is disabled more than 99% of the time - I just enable it on the odd occasion that I need it for something (maybe once or twice a year).

        I've actually been disabling it in browsers for over 10 years now - and in that time I've found I rarely need it. My initial reason for disabling it wasn't for security, but to save on computer resources (specially on the slow PCs I had at that time) ;)

        Of course, this is just me, and while I'm sure there's many others that only need java as little as I do, I'm also sure there are plenty of people that do need/use it regularly... the problem is most people (probably not readers of tech blogs) would have no idea whether they need it or not or whether they even have it installed.

        For Windows users at least, doesn't it need to be installed manually? ie. doesn't a clean install of Windows have no java by default?

        "When simple things like a mortgage or auto loan calculator requires java to run..." then I tend to feel their use of java for that purpose was somewhat overkill and not something I'd bother to enable java for ;)
      • Well, just because you think it not doesn't make it so...

        One of our own government agencies (Homeland Security) strongly recommended not using Java because of how easily it can be exploited by hackers. See here: ...and here: ... and there are more. Just do a search for "Stop Using Java" and you will get many, many articles about Java and its exploitability by hackers, and why you, as a computer user, should not use Java.

        When Homeland Security made that recommendation I uninstalled Java altogether and have not missed it a single day since! I do all my bank transactions/payments online, too. Still no need for Java. Oh, and SpankyFrost, you should be able to find loan calculators that don't need Java. You might look at in their download area. I bet you can find something to replace whatever you are using now.

        Of course, you can disregard the whole issue with Java and continue to leave yourself open to a possible hack where all your financial data is stolen, along with your passwords, account numbers, etc. Go do get choose. No one will spank you, SpankyFrost.
        • You do realize that Homeland Security is run by complete idiots, right?

          "Homeland Security" is run by all the incompetents and useless trash federal employees that all the other agencies wanted to get rid of. Anything they say is most likely WRONG.

          For the non-paranoid, setup your browser (Chrome allows this) to "click-to-run" for plugins. Limiting yourself to sites which don't use plugins, and likely have less to offer, is a personal choice. That'll stop all those "accidental" site visit problems.

          But, "...a possible hack where all your financial data is stolen" is more paranoia. Please, get real. If you're that afraid of technology, why are you even banking online?

          Guess what? If the server you're using has been compromised, you're still screwed, and you likely will never even know it!
          At least with a Java or other plugin based exploit, usually your PC will show some indication of a problem (and likely you'll address it before "OMGOMGOMG all my financial information has been stoled!!!!!")
      • That's not true...

        Any reputable corporation, bank or otherwise, would be a fool to rely on Java. None of my vendors or banks require Java and Java is disabled in my browser. At the least they may offer a Java interface, but not rely on it for business.

        As far as a loan calculator it is quite simple actually and can be done on the desktop with Run --> Calc and a standard equation, but aside from that there are a myriad of other methods to do such calculations and do not require Java; in fact I would question any site that would use such a complicated calculator for such a simple thing like calculating loans and interest.

        The only thing Java is any good for is playing Minecraft, at least that is all I use it for anymore since I was tired of ads invading my screen when browsing, long load times for JEdit (>1 minute on logon) and with it resident in memory you would think file loading would be faster but it is still slower than notepad or even my Visual Studio editor. Point being it is a resource hog and acts as a Weed or a Virus more than a development language.

        If it wasn't obvious I am not a proponent of Java, more like an exponent of efficiency.
  • Unfortunately..

    I'm stuck with vendor requirements for the older 1.6 flavor of Java. Thanks EMC and Cisco. Damn Apps that won't work with 1.7 or newer. So I have a VM now with 1.6 on it that I use ONLY for those apps. Grrrrr.
    • I see this too

      Those vendors who require their customers to remain exposed due to application requirements should be publicly shamed. They need to learn the lessons and get rid of the Java requirement or else get rid of the dependencies on specific versions. Throw it on the heap over there with vendors who bundle SQL databases with their apps that have default credentials of admin/admin left intact.
      • I was with you until...

        until you said "get rid of the Java requirement".

        This is ignorant trash. The "requirement" to run an outdated version of Java is the issue, not the platform itself. The VM is backwards compatible. In other words, a newer version of the JRE is pretty much ALWAYS better. The vendor requirements are idiotic ignorance, probably the result of idiot management.
        • Actually...

          I have come across this issue as well and a irritating message comes up that says: "This program requires Java 1.6 to run" with the newer version of Java installed. This is likely a vendor issue but I agree with the statement to "Get rid of the Java Requirement" as I believe this means stop forcing customers to use the Java-based interface -- this is not ignorant, it is practical as not everyone has or desires Java and some companies even forbid it within their IT systems.
    • In the same boat...

      I started a project to get all my systems up to date, 4000+ PCs. After surveying all of my app owners who required Java, versions, plug-in reqs, etc, only a handfull could go to the latest. We are now looking at application virturalization, 3rd party browsers, etc.

      The next move is to push management to spend.
      Rann Xeroxx
      • The next move is to push management to spend.


        Good luck with that.
        Rob Berman
      • I get hit with Java drive-by-downloads several times a day

        However, I run Bromium vSentry on my machine, so the malware is automatically discarded as soon as I go to a different website or close the browser tab. It works for PDFs, office docs, Adobe Flash, and lots of other content types, too. Head over to bromium dot com and click on Technology to learn more.
    • Attention readers: Read the article.

      It's not in the article text, but it's in the pictures.
      1.7.15 and 1.6.41 are vulnerable.
      1.7.17 and 1.6.43 (both released March 1, 2013) are updated and "safe".
      (Besides that, you can try it with 1.7 and see if it works anyway.)
      I thought 1.6 was going to be orphaned in Feb. 2013, so maybe 1.6.43 was the last update for 6; I don't know. But it is possible to use 1.6 today and be "up to date".
      If you need 1.5 or lower, you have a problem.
      • If REQUIRED to use Java...

        you have a problem.
  • Android Uses Java Heavily...

    ...yet it is not prone to any of these attacks. Perhaps Oracle could learn something from Android?
    • Although it's not without its own issues

      I dunno - Android, although not vulnerable in the same way - still has its own issues.
    • It's the web plugin

      Whilst the vulnerabilities have been in the java runtime environment (that android uses, complete with any previously unpatched vulnerability) the headline grabbing exploits (often zero day ones) have occured through the web plugin. Websites get infected with malicious applets that exploit the JRE to access the system in a so called drive by attack.

      Java programs such as java apps use the same runtime, with the same vulnerability, but are unaffected because they are designed to work in a different way to the web plugin.

      There has been a lot of confusion. You do not need to uninstall the jre and all your favourite java software, just the web plugin unless you really need it, then keep it up to date. Additionally, and I'm not sure where this has come from, but javascript is unrelated and is fine.
      • Javascript isn't "fine"

        There are JavaScript exploits as well. This is FACT. There are also browser exploits (which I suspect, many of which could be credited as "JavaScript exploits", but since JavaScript is a language and not a language/platform, people don't report it that way). None of this makes JavaScript inherently more secure than any other alternative.

        And in cases where JS is safer, it's because it simply has no option to implement a particular feature at all. (Or, it's because the browser takes the "credit" and the risk.)

        If you want to be safe from IT security issues, get off the computer. Even a Linux or BSD PC is vulnerable if the server you're accessing was hacked. Buy a credit monitoring service!
        • I'd relax a little.

          For the context of this article JavaScript in your browser is fine and unrelated to the current java conversation as it isn't anything todo with either the JRE or web plugin.

          As you say all software has holes and the safest way to use a computer is unetworked.

          However, if you do use the internet javascript currently poses no elevated risk. Certainly nothing in the context of this article and drive by attacks.

          Be safe out there kids.

          At the end of the day there is nothing inhereently safe about linux/ free/net/open bsd... They can all either be configured to be colanders or brick walls.