New Java and Flash Research Shows a Dangerous Update Gap

Today we’re
continuing our Java security research series by analyzing other plug-ins,
browser extensions and rich internet applications that are commonly exploited.


Our previous
indicated that the current state of Java affairs isn’t pretty. At
that time, ninety-three percent of enterprises were vulnerable to known Java
exploits. Nearly 50 percent of enterprise traffic
used a Java version that was more than two years out of date. Through Websense ThreatSeeker Intelligence
Cloud analysis we now discover:


  • Only 19 percent of enterprise Windows-based
    computers ran the latest version of Java (7u25) between August 1-29, 2013.
  • More than 40 percent of enterprise Java requests
    are from browsers still using outdated Java 6. As a result, more than 80
    percent of Java requests are susceptible to two popular new Java exploits:
    CVE-2013-2473 and CVE-2013-2463.
  • 83.86 percent of enterprise browsers have
    Java enabled.
  • Nearly 40 percent of users are not running the
    most up-to-date versions of Flash.
  • In fact, nearly 25 percent of Flash
    installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old.


Our in-depth
analysis ran for one month, across multiple verticals and industries. We
surveyed millions of real-world web requests for Java usage through our global
Websense ThreatSeeker Intelligence Cloud. 


New Java Exploits and the Neutrino Exploit

New Java
exploits CVE-2013-2473 and CVE-2013-2463 are already making a big impact by targeting
computers running outdated versions of Java. It’s clear the cybercriminals know
there is a Java update problem for many organizations.


For example, Websense ThreatSeeker Intelligence Cloud noticed an
uptick in new hosts running the Neutrino exploit kit in the first and second
weeks of August 2013. This could be attributed to Neutrino’s addition of
Java-based code execution exploits including CVE-2013-2463, which is based on AWT/2D vulnerabilities
and affects all Java 6 users (tip of the hat to F-Secure). Typically associated with ransomware payloads,
Neutrino is best known for its easy-to-use control panel and features that evade
AV and IPS systems.


Forty percent
of Java 6 users are vulnerable to these new exploits and there are no software
patches in sight. Effective exploit kit delivery mechanisms, such as Neutrino, and unpatched vulnerabilities targeting Java 6 create a significant challenge
for organizations that have not updated to Java 7.


On the positive
side, our updated numbers show that enterprise IT is pushing out more Java
updates. Earlier this year, 70 percent of Java requests came from Java 6 users.
That figure has decreased to 40 percent.


Check out this previous blog post
on how Java plays a part within the Seven Stages of Advanced Attacks and our advice on Java remediation steps at this post.


Don’t Forget About Flash

just a few years ago, Flash was a primary attack vector. As our research above indicates,
nearly 40 percent of users are not running the most up-to-date versions of
Flash. In the last three months, five security patches have been released for
Flash-and that number leaps to 26 over the course of the last year.


This is
exactly why real-time security models are absolutely essential. Even the best patch
management and traditional security tools simply cannot keep up with the ongoing barrage of
zero-day attacks and exploit kits being created.


We’ll keep
you posted as we conduct ongoing and future research on these critical systems
and programs. Stay tuned on the latest research and information on how to
mitigate these threats in future posts.