Despite Oracle Java being ranked among the highest risk vulnerabilities, a startling 72% of Java users are not bothering to update their software to the latest and safest versions.
The results of a new study from Kaspersky Lab, which surveyed 11 million Windows users during the 2012 calendar year, lays out disturbing statistics: 806 unique vulnerabilities were discovered in the survey period. But the “good” news is that only 37 of those security gaps were considered to be truly widespread and dangerous.
Don’t get too optimistic, though: those 37 vulnerabilities accounted for over 70% of all detected vulnerable software last year.
Singling Out Java
The Kaspersky study gets a little arbitrary at one point, singling out eight of the 37 vulnerabilities as those “that are actively used by cybercriminals in widespread exploit packs.” Not exactly a scientific classification, which should be taken into account when walking through the next set of results.
Of those eight exposed risks used by naughty hackers, five of them were inside Oracle Java, two in Adobe Flash Player, and the remaining loophole in Adobe Reader.
While it would be easy to point at Java’s security problems as one more way Oracle breaks everything it bought from Sun Microsystems, the real danger this report highlights is the general apathy on the part of users to get their software updated.
This is how bad it can be: after Java SE 7 Update 9 and SE 6 Update 37 were released on Oct. 16 last year, after six weeks, only 28.2% of users affected by the vulnerabilities of previously released updates had actually bothered to make the upgrade, leaving 71.8% of users still ready to be exploited.
The Kaspersky survey does not include data on the latest Java brouhaha, as Oracle has pushed out two critical updates already this year, the latest (Java SE 7 Update 13) pushed out the door on Super Bowl Sunday. Security experts are especially vehement about getting users’ systems updated with this new patch. The U.S. Department of Homeland Security has warned all Java users, for instance, to completely disable Java on their PCs and Macs until the vulnerabilities are effectively patched.
Why The Delay?
The report also did not try to ascertain why users are taking their own sweet time updating their systems, but the usual suspects would still seem to apply: lack of information about the problems and their potential impact.
Of course, it doesn’t help matters for Oracle when they see fit to partner with companies like Ask.com and McAfee to include extra software in the update installations for Java. ZDNet’s Ed Bott posted a thorough investigative report last month analyzing the deceptive practices of an Ask.com toolbar installation within a recent Java update. I myself noted with distain an attempt to install McAfee anti-virus software when I patched my Windows system to the new Java updates this weekend.
Oracle’s monetiztion of Java may be squeezing more money out of Java, but it just sets up one more pain-in-the-ass barrier with which users must contend. This added friction might cause all but the most conscientious users to just skip the hassle of a Java update altogether.
Given the slant of the report, it’s not entirely fair that Java was singled out as the big bad vulnerability vector on the block. But Java does have exploitable code and it is widely used, so these are not risks that should be ignored regardless.
Image courtesy of Shutterstock.