WEBSENSE: Most of Java Enabled Browsers are Vulnerable to Java Exploits Which Have Been Spreading on a Vast Scale


Majority of the browser installations that are being used have out-of-date versions of java plug in and are very much vulnerable to the exploits’ tools that have been spread on a large scale. This is according to a report that has been published on Monday by Websense. 

To monitor the requests originating from millions and millions of computer systems that have been protected by different products of this company, it has run its threat detection and intelligence network which will detect the different java versions that are being used in these computer systems and are also available on the web browsers. Email and web gateway products for the security of business operations are being provided by Websense and they have also entered into partnership with the Facebook authorities so that they can ploy a check on the clicks that users make on social networks for threatening content.

The telemetry data which is gathered by the company reveals that only around 5.5 percent of the browsers that are java enabled have updated versions of software’s browser plug in i.e. Java 6 Update 43 (6u43) and Java 7 Update 17 (7u17). These versions were released back in the month of March to deal with the exploits and the vulnerability issue.

As per Websense, a cool exploit kit already contains the exploits which is used by cybercriminals for the purpose of launching mass drive through downloading attacks that poisons computer systems with malware when one visits compromised websites. The kit requires a subscription fee of around 10,000 US dollars which means that it is not within the range of many of the cybercriminals. Websense’s data has also revealed that many browsers installations that are Java enabled are vulnerable through different exploit kits that are cheap to subscribe to.

The company showed that around 75 percent browser installations that are java enabled are vulnerable or can be exploited with the use of four different exploit kits that are not only cheap but are also available on a wide scale. Balckhole 2, redKit, Gong DA and CritXpacks are the name of those kits and they target a vulnerability which is known as Java 7 Update 17 (7u17).  The company also went on to show that 75 percent of such browser installations are using Java versions which are about 6 months old and about two third of the systems (java enabled) are using versions that are more than one year old.

Users are not banking on the java 7 update 11 which has been released by Oracle and which prevents java applets to enter inside the browser without a confirmation check by default.

The data which has been investigated by Websense also reveals that the vulnerabilities which are already very much known to the masses at large (zero day attacks) are not be given much of an attention.

Security experts have advised in the recent past that oracle should devise a way to improve on the rate of adoption for Java updates. They say that it can possibly be done via offering options such as automatic and silent updates as has been done by Google and similarly by Adobe in flash player, Adobe Reader and Chrome. Silent updates of software are not a popular ploy in the corporate worlds where patches are to be inspected for stability and compatibility issues before they are incorporated into the systems.  However if such updates are implemented in consumer space, they can shorten the fragmentation that occurs in Java versions.

Related Posts