A new research report by the Bit9 information security vendor has shown that Java is still the endpoint technology most targeted by cyber-attacks, meaning the platform still represents a significant security risk to financial institutions (FIs) and other enterprises.
Despite years of Java patches and security updates the prevalence of earlier iterations provides an open door for hackers and other cyber-criminals concluded the Bit9 threat research team after analysing Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide. The sheer popularity of the open platform also significantly contributes towards its popularity with cyber-criminals of course.
The ‘Java Vulnerabilities: Write Once, Pwn Anywhere’ report identifies significant risks posed by outdated versions of Java with many known vulnerabilities still widely deployed by FIs and other businesses. According to the vendor:
• The average organisation has more than 50 versions of Java installed across all of its endpoints – indeed; five per cent of enterprises have more than 100 versions of Java installed.
• Most endpoints have multiple versions of Java installed, in part because the Java installation and update process often does not remove old versions.
• Attackers can determine what versions of Java an enterprise is running and target the oldest, most vulnerable versions.
• The most popular version of Java running on endpoints analysed by Bit9 is version 6 update 20, which is present on 9 per cent of all systems and has 96 known vulnerabilities of the highest severity.
• Less than 1 per cent of enterprises are running the latest better protected version of Java.
“For the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues,” said Harry Sverdlove, the report’s author and Bit9 chief technology officer (CTO). “They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95.”
The vendor is urging FIs and others concerned about the security risks inherent in older versions of Java to:
• Assess how many versions of Java are running in the enterprise and decide if these older versions are needed for valid business reasons, and if Java should be running in browsers.
• Enforce those decisions with a comprehensive security solution
“It’s not surprising that most companies are unaware of all the versions of Java on their systems,” said Sverdlove. “Most organisations have no idea what’s running on their endpoints and servers - they lack visibility into those systems. And traditional security solutions, including antivirus offerings, can’t protect them from modern threats. At Bit9 we focus on providing real-time visibility and protection for endpoints and servers to address this critical need.”