We’ve all seen the frequent headlines of Java zero-days and exploits taking advantage of these vulnerabilities to pwn computers. In a shocking bit of research released last month, the Websense Security Labs discovered that 93 percent of computers accessing information on the web were vulnerable to known Java exploits.
After the most recent Java update (issued one month ago), the Websense Security Labs began monitoring and analysing real-world web requests to further document Java version usage to determine how quickly businesses update Java. How fast are businesses applying patches that are created to counter threats posed by known successful attacks? The answer is: most likely, never. The results of our research indicate that for Java patch management, the process is woefully slow.
•After a full week, the average adoption of the newest version of Java was at less than three percent.
•Two weeks after the newest Java version was released, the trend line had moved to a little over four percent.
•One month after release, the number of live web requests using the most recent version of Java was only around seven percent.
Carl Leonard, Senior Security Researcher at Websense Security Labs said: “With the massive amount of Java 0-days, known vulnerabilities and headline-grabbing attacks using these vulnerabilities, most security professionals know that Java has been the equivalent of a faulty lock on your home. Unfortunately, the lock is proving very hard to secure and cybercrimimals continue to get through. Since we can’t yet manage to curtail this risk by patching in a timely manner, we absolutely must apply secondary defenses to interrupt other stages of the attack life cycle and prevent data theft.”