Why is Java so risky? 77 percent of agencies run unsupported versions

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Three quarters of government computers are running unsupported versions of Java, according to a Websense analysis, leaving them vulnerable to a long list of malicious exploits.

Only a handful of U.S. government computers are using the latest version of Java while more than three quarters of them are running unsupported versions of the software, which has been a common target for malware since 2010, according to an analysis by the Web security company Websense.

There are 52 update versions of Java in use, but as of this month, Oracle will update only versions of Java 7. That leaves a lot of unsupported versions on government and other computers.

JAVA ON THE .GOV DOMAIN

6.38 percent using latest update of Java 7.

23 percent using some version of Java 7.

77 percent using unsupported versions of Java 6 or earlier.

JAVA GLOBALLY

5.17 percent using latest update of Java 7.

21 percent using some version of Java 7.

79 percent using unsupported versions of Java 6 or earlier.

Source: Websence and Oracle

The government figures are in line with the global statistics for Java, which show a large number of versions in use. In the .gov domain there are 52 different update versions of the software being used, some of them more than five years old. This means that attackers do not have to depend on zero-day exploits to compromise these systems, but can rely on a growing number of commonly available exploit kits targeting known vulnerabilities.

“There have been an increasing number of targeted attacks aimed at government users,” said Charles Renert, vice president of research and technology at Websense. “This is a big hole in the IT infrastructure.”

Renert called the situation “a call to action to improve how Java is updated.”

But across-the-board updates to the current versions of software in an environment as complex as the government are impractical if not impossible, and to protect themselves agencies need to be able to identify and block the attacks before they can infect vulnerable software.

“The compromised content still has to hit the application, so stop the phishing and social engineering” that lure users into clicking on unsafe links and attachments, Renert said.

Java is a widely-used programming language for client-server Web applications. Vulnerabilities in it are significant concerns because Java runs on so many computers, often without users being aware of it. If users aren’t aware, it might not be updated regularly.

The large installed base of Java vulnerabilities has led to calls in recent months for abandoning the software. US-CERT in January released an advisory calling for users to disable Java in their browsers at least until a fix for the latest reported exploit was issued. Oracle, which owns Java, released the fix three days later, but the Computer Emergency Response Team of Carnegie Mellon’s Software Engineering Institute continued to advise users that “unless it is absolutely necessary to run Java in Web browsers, disable it, even after updating.”

To understand the extent of the problem of in-place vulnerabilities, Websense added Java version detection to its Advanced Classification Engine and used it to analyze tens of millions of Java endpoints on the ThreatSeeker Network.

Globally, 5.17 percent of analyzed endpoints are using the latest updated version of Java 7 (Version 1.7_17), released in March, compared with 6.38 percent in the .gov domain. At the same time update 17 was released for Java 7, Oracle released its last update, number 43, for Version 6 and announced that it no longer would update Version 6. Globally, nearly 79 percent of users still are using Version 6 or earlier. In government, about 77 percent are using the older versions.

The most commonly used version of Java in .gov is V 1.6_17 (update 17 of Version 6), at 27.41 percent. The next most common is Version 5, at 8.12 percent, which was replaced by Version 6 in 2006. Globally, the most commonly used version is V 1.6_16, at about 9 percent.

There are a number of reasons for the large installed base of outdated Java versions, Renert said. Java is a cross-platform technology, and patching it across multiple operating systems and applications is not a simple task. A lot of mobile devices use Java, and they are often outside direct enterprise management. “It’s a little harder to keep them up-to-date,” he said.

Finally, Java is updated independently of the applications using it, so an application will not necessarily be using the latest version of Java, even if the application itself has been updated. “This mix and match approach makes it difficult to keep up,” he said.

In this environment, application makers and users need to work more closely with Oracle to improve patching and updating policies and practices, Renert said.

But even at its best, updating is an incomplete solution. “The zero-days will always be a risk, and there will always be some out-of-date versions,” Renert said. “You have to assume that controls will be bypassed, that the bad guys are going to find a way around them.” Users need to understand the nature of the threats they are facing and be prepared to block them before they reach vulnerable applications, or block improper outbound traffic from compromised systems.

A full breakdown from Websense and Oracle of Java versions running on the .gov domain:

Version and update     Percentage of installed base

V 1.0 to 1.4                     1.90%

V 1.5                                8.20%

V 1.6_01                         0.04%

    _02                              0.30%

    _03                              0.33%

    _04                               0.01%

    _05                               0.47%

    _06                               0.68%

    _07                               1.30%

    _10                               0.08%

    _11                               0.05%

    _12                               0.47%

    _13                               1.37%

    _14                               0.30%

    _15                               0.51%

    _16                              0.55%

    _17                              27.41%

    _18                              0.87%

    _19                              0.21%

    _20                              2.35%

    _21                              0.84%

    _22                              1.77%

    _23                               0.92%

    _24                              2.21%

    _25                             0.28%

    _26                             3.58%

    _27                             0.65%

    _29                             1.58%

    _30                             2.76%

    _31                             4.38%

    _32                             0.73%

    _33                             1.11%

    _34                             0.87%

    _35                             4.44%

    _37                            1.20%

    _38                             0.66%

    _39                             0.93%

    _41                             0.15%

    _43                             0.55% (Final update of V 1.6; Oracle announced discontinuing support for all of V 1.6 on March 4, 2013)


Java 7 was released July 2011 fist updated in October, 2011

Version and update     Percentage of installed base

V 1.7_01                          0.11%

    _02                               0.17%

    _03                               0.07%

    _04                               0.53%

    _05                               1.63%

    _06                               0.11%

    _07                              4.79%

    _09                              2.82%

    _10                             0.47%

    _11                             1.71%

    _13                             0.85%

    _15                             3.12%

    _17                             6.38% (Current update, released March 4, 2013)



 

A total of 52 different versions/updates installed.



 

Source: Websense and Oracle



 

 

NEXT STORY: Law enforcement, NIST making fingerprint files easier to search

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.