The announcement of a new Java vulnerability seems about as common as sunshine in San Diego.
The past few weeks have witnessed a number of Java zero-day vulnerabilities. And according to managed security provider Websense, some 94 percent of browsers may be vulnerable to at least one Java exploit.
Charles Renert, Vice President at Websense Security Labs, told Security Bistro that while it wasn't exactly a surprise to see Java vulnerabilities showing up on a variety of endpoints, the numbers were a bit eye-popping.
"Historically, we have known that Java updates were somewhat challenging, because they update independently of a browser. However when you start to see that more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities, you look at the problem from a new vantage," said Renert. "In addition, it was a bit startling to see that nearly 80% of users are on a version of Java that will no longer receive any patches due to Oracle’s end-of-life for Java V6."
To assess the vulnerabilities, researchers at Websense added Java detection to their threat database in an effort gain some real-time insight into which versions of Java are actively being used across tens of millions of endpoints. From there, they broke down the vulnerabilities and the kits used to exploit them:
According to the post, "Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities."
To remedy these vulnerabilities, Renert said that enterprises must look beyond controls like patch management, which can only reduce risk to what is already known.
"Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kind of vectors is on the rise. Rather than looking to update a single object or signature at a single point in time, companies must review the entire threat lifecycle and examine multiple opportunities to disrupt attacks," he added.