Warnings are out there, but users still ignore them as 81 percent of businesses run outdated Java, while 40 percent have not updated Flash, new research showed.
Failing to apply patches that address vulnerabilities in Flash and Java leaves enterprises at risk of targeted attacks that lead to the theft of business intelligence, said researchers at Websense.
Only 19 percent of enterprise Windows-based computers ran the latest version of Java (7u25) between August 1 and August 29, the security firm said. More than 40 percent of enterprise Java requests are from browsers still using outdated Java 6.
The combined effect shows more than four in five Java requests are susceptible to two popular new Java exploits (CVE-2013-2473 and CVE-2013-2463).
Java add-ons in the browser are a well-known hacker target and security firms have routinely advised businesses to disable the technology, which they rarely need to use most websites. Despite this advice, Websense discovered 83.86 percent of enterprise browsers have Java enabled.
Adobe applications such as Reader and Flash are another cyber-espionage favorite. Along those lines, almost 40 percent of users are not running the most up-to-date versions of Flash, the researchers said. Nearly 25 percent of Flash installations are more than six months old, close to 20 percent are one year outdated and nearly 11 percent are nearly two years old, Websense said.
Previous research by Websense back in March found 93 percent of enterprises were vulnerable to known Java exploits and nearly 50 percent of enterprise traffic is using a version of Java that is more than two years out of date. So as bad as the state of enterprise Java security currently is, things are a bit better.
Carl Leonard, senior security research manager EMEA at Websense, commented: “Java has become a primary gateway for hackers to enter today’s businesses and its vulnerabilities are being commoditized in the latest exploit kits.
“Research using our Websense ThreatSeeker Intelligence Cloud indicates successful Java exploits are on the rise with computers running outdated versions of Java…. [and] only 19 percent of enterprise Windows-based computers ran the latest version of Java.
“It is clear the cybercriminals know there is a Java update challenge for many organizations and thus they focus on exploits targeting both new and older versions of the technology,” he added.