Security Advisor

Most Are Running Vulnerable Versions of Java

According to a Rapid7 researcher, only 38 percent of those running the Java Runtime Environment have updated to the newest version of the software -- and the number only reaches that high after a patch has been out for six months.

What's even scary is in the first month of a Java update, the adoption rate is below 10 percent.

What's so alarming about this? Take the latest news that code for successfully exploiting a Java flaw has been added to the well-known hacker toolkit called BlackHole. The vulnerability in question allows hackers to bypass Java's sandbox and load up an unsuspecting user's computer with malware.

However, there's an easy way to avoid this attack that has been seen running wild online: update your Java! The newest version of Java, which was released Feb. 15, will keep you protected from falling victim to this exploit. However, according to security researcher estimates, only a little more than 10 percent of you are protected.

Oracle needs to take a page out of Mozilla's book and silently push these updates to everyone on release. I'm pretty sure something as simple as an update to Java doesn't need the rigorous testing period that's reserved for "critical" Windows fixes.

Actually, speaking of Mozilla, it has blacklisted any outdated version of Java in its Firefox Web browser (I found this out last night. Apparently the Java on my home PC had evaded updates since last June.)

When do you update your Java? When a patch is released? When you remember? Want to shame me for being part of the 70 or so percent with an out-of-date Java? Let me know at [email protected]

About the Author

Chris Paoli is the site producer for and


  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.