Users of Java are caught between a rock and a hard place. They often need an older version of Java to run their applications, but those aged releases are susceptible to security breaches, which have plagued Java in recent years. Java accounted for 91 percent of Web exploits tallied — and 14 percent of all successful PC exploits — in Cisco Systems’ recent 2014 Annual Security Report, far outpacing Adobe Flash and PDF documents, the other major “popular vectors for criminal activity,” the report states. Specifically, Java on the client is the problem.
Oracle, which oversees Java, has stressed a need for users to upgrade to the latest version of Java to fend off security problems. Cisco also sees a benefit in upgrading to the latest Java version.
If only it were so easy.
An example of this dilemma is that 76 percent of companies using Cisco Web Security services are still running Java 6, which has reached its end of life and is unsupported. Because of application dependencies, many organizations have had no choice other than to stick with older Java versions despite the security risk they pose, therefore having to run, troubleshoot, and support multiple Java versions.
“Enterprises often use both versions of the Java Runtime Environment because different applications may rely on different versions to execute code,” says the Cisco report. “However, with more than three-fourths of the enterprises surveyed by Cisco using an end-of-life [product] with vulnerabilities that may never be patched publicly, criminals have ample opportunity to exploit weaknesses.”
Although it’s not easy to upgrade applications so you can eliminate old versions of Java, Cisco and industry analysts offer some advice.