Only a handful of U.S. government computers are using the latest
version of Java while more than three quarters of them are running
unsupported versions of the software, which has been a common target for
malware since 2010, according to an analysis by the Web security company Websense.
The government figures are in line with the global statistics for Java, which show a large number of versions in use. In the .gov domain there are 52 different update versions of the software being used, some of them more than five years old. This means that attackers do not have to depend on zero-day exploits to compromise these systems, but can rely on a growing number of commonly available exploit kits targeting known vulnerabilities.
“There have been an increasing number of targeted attacks aimed at government users,” said Charles Renert, vice president of research and technology at Websense. “This is a big hole in the IT infrastructure.”
Renert called the situation “a call to action to improve how Java is updated.”
But across-the-board updates to the current versions of software in an environment as complex as the government are impractical if not impossible, and to protect themselves agencies need to be able to identify and block the attacks before they can infect vulnerable software.
“The compromised content still has to hit the application, so stop the phishing and social engineering” that lure users into clicking on unsafe links and attachments, Renert said.
Java is a widely-used programming language for client-server Web applications. Vulnerabilities in it are significant concerns because Java runs on so many computers, often without users being aware of it. If users aren’t aware, it might not be updated regularly.
The large installed base of Java vulnerabilities has led to calls in recent months for abandoning the software. US-CERT in January released an advisory calling for users to disable Java in their browsers at least until a fix for the latest reported exploit was issued. Oracle, which owns Java, released the fix three days later, but the Computer Emergency Response Team of Carnegie Mellon’s Software Engineering Institute continued to advise users that “unless it is absolutely necessary to run Java in Web browsers, disable it, even after updating.”
To understand the extent of the problem of in-place vulnerabilities, Websense added Java version detection to its Advanced Classification Engine and used it to analyze tens of millions of Java endpoints on the ThreatSeeker Network.
Globally, 5.17 percent of analyzed endpoints are using the latest updated version of Java 7 (Version 1.7_17), released in March, compared with 6.38 percent in the .gov domain. At the same time update 17 was released for Java 7, Oracle released its last update, number 43, for Version 6 and announced that it no longer would update Version 6. Globally, nearly 79 percent of users still are using Version 6 or earlier. In government, about 77 percent are using the older versions.
The most commonly used version of Java in .gov is V 1.6_17 (update 17 of Version 6), at 27.41 percent. The next most common is Version 5, at 8.12 percent, which was replaced by Version 6 in 2006. Globally, the most commonly used version is V 1.6_16, at about 9 percent.
There are a number of reasons for the large installed base of outdated Java versions, Renert said. Java is a cross-platform technology, and patching it across multiple operating systems and applications is not a simple task. A lot of mobile devices use Java, and they are often outside direct enterprise management. “It’s a little harder to keep them up-to-date,” he said.
Finally, Java is updated independently of the applications using it, so an application will not necessarily be using the latest version of Java, even if the application itself has been updated. “This mix and match approach makes it difficult to keep up,” he said.
In this environment, application makers and users need to work more closely with Oracle to improve patching and updating policies and practices, Renert said.
But even at its best, updating is an incomplete solution. “The zero-days will always be a risk, and there will always be some out-of-date versions,” Renert said. “You have to assume that controls will be bypassed, that the bad guys are going to find a way around them.” Users need to understand the nature of the threats they are facing and be prepared to block them before they reach vulnerable applications, or block improper outbound traffic from compromised systems.
A full breakdown from Websense and Oracle of Java versions running on the .gov domain:
Version and update Percentage of installed base
V 1.0 to 1.4 1.90%
V 1.5 8.20%
V 1.6_01 0.04%
_02 0.30%
_03 0.33%
_04 0.01%
_05 0.47%
_06 0.68%
_07 1.30%
_10 0.08%
_11 0.05%
_12 0.47%
_13 1.37%
_14 0.30%
_15 0.51%
_16 0.55%
_17 27.41%
_18 0.87%
_19 0.21%
_20 2.35%
_21 0.84%
_22 1.77%
_23 0.92%
_24 2.21%
_25 0.28%
_26 3.58%
_27 0.65%
_29 1.58%
_30 2.76%
_31 4.38%
_32 0.73%
_33 1.11%
_34 0.87%
_35 4.44%
_37 1.20%
_38 0.66%
_39 0.93%
_41 0.15%
_43 0.55% (Final update of V 1.6; Oracle announced discontinuing support for all of V 1.6 on March 4, 2013)
Java 7 was released July 2011 fist updated in October, 2011
Version and update Percentage of installed base
V 1.7_01 0.11%
_02 0.17%
_03 0.07%
_04 0.53%
_05 1.63%
_06 0.11%
_07 4.79%
_09 2.82%
_10 0.47%
_11 1.71%
_13 0.85%
_15 3.12%
_17 6.38% (Current update, released March 4, 2013)
A total of 52 different versions/updates installed.
Source: Websense and Oracle