News

Study: Bad Enterprise Patch Management Results in 'Frightening' Java Vulnerabilities

• By John K. Waters
• June 12, 2013

Most browser Java installations continue to be unpatched or outdated, leaving the majority of users vulnerable to exploit code already in use in the wild. That's the conclusion of an update published last week by Websense, a San Diego-based information security solutions provider, of its March 2013 study on now Java attacks get through.

The original study, conducted by the company's Security Labs group of more than 100 researchers, found that only 5.5 percent of Java-enabled browsers were running the most current version of the Java plug-in (at the time, Java 7 Update 17 and Java 6 Update 43). The update, posted on the company's blog, found that 93 percent of users are still not patched to the most recent version of Java.

Oracle released a critical patch update for Java SE on April 16 for multiple security vulnerabilities. The next such update is scheduled for July 16, and another on October 15.

Websense maintains a "threat intelligence network" called ThreatSeeker made up of its own customer base. Through this network, the company monitors billions of Web requests originating from tens of millions of computers, the company says. Earlier this year, the company added Java version detection to its Advanced Classification Engine (ACE) and "pumped it" into the Websense ThreatSeeker Network, which produced real-time telemetry about which versions of Java are actively being used.

The company also looked at how the lack of effective patch management is affecting the enterprise. The company focused on business environments and the most recent Java patch issued in April. The company found that the process of Java patch management in the enterprise is "woefully slow." Specifically, a week after the April patch was issued, the average adoption was less than 3 percent; after two weeks, it was a little more than 4 percent; and after a month, it was approaching 7 percent.

"The results of our research were frightening to say the least," Bob Hansmann, Websense senior product manager, wrote in a company blog post, adding, "If we can't manage to curtail risk even by patching in a timely manner, we absolutely must put appropriate real time security analysis in place to inspect every stage of an attack life cycle."

In January, Oracle's senior product security manager, Milton Smith, told Java User Group (JUG) leaders during a conference call that the company's chief area of concern was Java plugins running applets on the browser. "A lot of the attacks that we've seen, and the security fixes that apply to them, have been [about] Java in the browser," he said. "It's the biggest target now."

"Let's hope that Oracle can get the overwhelming recent challenges behind them and really make an effort to make this as secure as possible moving forward," Hansmann wrote.