Study: 93% of Java Users Not Running Latest Version

According to Websense, a San Diego-based information security solutions provider, most browser Java installations continue to be unpatched or outdated, leaving the majority of users vulnerable to exploit code already in use in the wild. The firm's findings were published last week in an update to a March 2013 Java security study.

The original study, conducted by the company's Security Labs group of more than 100 researchers, found that only 5.5 percent of Java-enabled browsers were running the most current version of the Java plug-in (at the time, Java 7 Update 17 and Java 6 Update 43). The update, posted on the company's blog, found that 93 percent of users are still not patched to the most recent version of Java.

Oracle released a critical patch update for Java SE on April 16 for multiple security vulnerabilities. The next such update is scheduled for July 16, and another on October 15.

Websense maintains a "threat intelligence network" called ThreatSeeker made up of its own customer base. Through this network, the company monitors billions of Web requests originating from tens of millions of computers, the company says. Earlier this year, the company added Java version detection to its Advanced Classification Engine (ACE) and "pumped it" into the Websense ThreatSeeker Network, which produced real-time telemetry about which versions of Java are actively being used.

The company also looked at how the lack of effective patch management is affecting the enterprise. The company focused on business environments and the most recent Java patch issued in April. The company found that the process of Java patch management in the enterprise is "woefully slow." Specifically, a week after the April patch was issued, the average adoption was less than 3 percent; after two weeks, it was a little more than 4 percent; and after a month, it was approaching 7 percent.

"The results of our research were frightening to say the least," Bob Hansmann, Websense senior product manager, wrote in a company blog post, adding, "If we can't manage to curtail risk even by patching in a timely manner, we absolutely must put appropriate real time security analysis in place to inspect every stage of an attack life cycle."

In January, Oracle's senior product security manager, Milton Smith, told Java User Group (JUG) leaders during a conference call that the company's chief area of concern was Java plugins running applets on the browser. "A lot of the attacks that we've seen, and the security fixes that apply to them, have been [about] Java in the browser," he said. "It's the biggest target now."

"Let's hope that Oracle can get the overwhelming recent challenges behind them and really make an effort to make this as secure as possible moving forward," Hansmann wrote.

About the Author

John K. Waters is a freelance author and journalist based in Silicon Valley. His latest book is The Everything Guide to Social Media. Follow John on Twitter, read his blog on, check out his author page on Amazon, or e-mail him at


  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

  • Microsoft Previews New Edge Browser on Windows 7 and Windows 8.1

    Microsoft announced this week that it has released previews of its Chromium-based Microsoft Edge Web browsers for use on Windows 7, Windows 8 and Windows 8.1 systems.

  • Exchange Server June Cumulative Updates Arrive, But with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.