Only a handful of U.S. government computers are using the latest
version of Java while more than three quarters of them are running
unsupported versions of the software, which has been a common target for
malware since 2010, according to an
analysis by the Web security company Websense.
The government figures are in line with the global statistics for
Java, which show a large number of versions in use. In the .gov domain
there are 52 different update versions of the software being used, some
of them more than five years old. This means that attackers do not have
to depend on zero-day exploits to compromise these systems, but can rely
on a growing number of commonly available exploit kits targeting known
vulnerabilities.
“There have been an increasing number of targeted attacks aimed at
government users,” said Charles Renert, vice president of research and
technology at Websense. “This is a big hole in the IT infrastructure.”
Renert called the situation “a call to action to improve how Java is updated.”
But across-the-board updates to the current versions of software in
an environment as complex as the government are impractical if not
impossible, and to protect themselves agencies need to be able to
identify and block the attacks before they can infect vulnerable
software.
“The compromised content still has to hit the application, so stop
the phishing and social engineering” that lure users into clicking on
unsafe links and attachments, Renert said.
Java is a widely-used programming language for client-server Web applications. Vulnerabilities in it are
significant concerns
because Java runs on so many computers, often without users being aware
of it. If users aren’t aware, it might not be updated regularly.
The large installed base of Java vulnerabilities has led to calls in
recent months for abandoning the software. US-CERT in January released
an
advisory
calling for users to disable Java in their browsers at least until a
fix for the latest reported exploit was issued. Oracle, which owns Java,
released the fix three days later, but the Computer Emergency Response
Team of Carnegie Mellon’s Software Engineering Institute continued to
advise users that “unless it is absolutely necessary to run Java in Web browsers, disable it, even after updating.”
To understand the extent of the problem of in-place vulnerabilities,
Websense added Java version detection to its Advanced Classification
Engine and used it to analyze tens of millions of Java endpoints on the
ThreatSeeker Network.
Globally, 5.17 percent of analyzed endpoints are using the latest
updated version of Java 7 (Version 1.7_17), released in March, compared
with 6.38 percent in the .gov domain. At the same time update 17 was
released for Java 7, Oracle released its last update, number 43, for
Version 6 and announced that it no longer would update Version 6.
Globally, nearly 79 percent of users still are using Version 6 or
earlier. In government, about 77 percent are using the older versions.
The most commonly used version of Java in .gov is V 1.6_17 (update 17
of Version 6), at 27.41 percent. The next most common is Version 5, at
8.12 percent, which was replaced by Version 6 in 2006. Globally, the
most commonly used version is V 1.6_16, at about 9 percent.
There are a number of reasons for the large installed base of
outdated Java versions, Renert said. Java is a cross-platform
technology, and patching it across multiple operating systems and
applications is not a simple task. A lot of mobile devices use Java, and
they are often outside direct enterprise management. “It’s a little
harder to keep them up-to-date,” he said.
Finally, Java is updated independently of the applications using it,
so an application will not necessarily be using the latest version of
Java, even if the application itself has been updated. “This mix and
match approach makes it difficult to keep up,” he said.
In this environment, application makers and users need to work more
closely with Oracle to improve patching and updating policies and
practices, Renert said.
But even at its best, updating is an incomplete solution. “The
zero-days will always be a risk, and there will always be some
out-of-date versions,” Renert said. “You have to assume that controls
will be bypassed, that the bad guys are going to find a way around
them.” Users need to understand the nature of the threats they are
facing and be prepared to block them before they reach vulnerable
applications, or block improper outbound traffic from compromised
systems.
A full breakdown from Websense and Oracle of Java versions running on the .gov domain:
Version and update Percentage of installed base
V 1.0 to 1.4 1.90%
V 1.5 8.20%
V 1.6_01 0.04%
_02 0.30%
_03 0.33%
_04 0.01%
_05 0.47%
_06 0.68%
_07 1.30%
_10 0.08%
_11 0.05%
_12 0.47%
_13 1.37%
_14 0.30%
_15 0.51%
_16 0.55%
_17 27.41%
_18 0.87%
_19 0.21%
_20 2.35%
_21 0.84%
_22 1.77%
_23 0.92%
_24 2.21%
_25 0.28%
_26 3.58%
_27 0.65%
_29 1.58%
_30 2.76%
_31 4.38%
_32 0.73%
_33 1.11%
_34 0.87%
_35 4.44%
_37 1.20%
_38 0.66%
_39 0.93%
_41 0.15%
_43 0.55% (Final update of V 1.6;
Oracle announced discontinuing support for all of V 1.6 on March 4,
2013)
Java 7 was released July 2011 fist updated in October, 2011
Version and update Percentage of installed base
V 1.7_01 0.11%
_02 0.17%
_03 0.07%
_04 0.53%
_05 1.63%
_06 0.11%
_07 4.79%
_09 2.82%
_10 0.47%
_11 1.71%
_13 0.85%
_15 3.12%
_17 6.38% (Current update, released March 4, 2013)
A total of 52 different versions/updates installed.
Source: Websense and Oracle