Java represents a security risk despite years of software updates, because of the prevalence of outdated versions of the software, researchers who evaluated its vulnerability have concluded.
Security company Bit9 found Java is the endpoint technology most targeted by cyber attacks, with older versions running on around 1m endpoints at hundreds of companies across the world.
The Bit9 research team found most endpoints have multiple versions of Java running, with the average organisation having more than 50 versions, partly because installing new versions or running an update does not always remove the latest software’s predecessors.
The most popular version of Java running on endpoints analysed by Bit9 is v.6 update 20, which is present on 9% of all systems – yet has 96 known vulnerabilities of the highest severity, claims the security company.
Harry Sverdlove, Bit9 CTO, said: "For the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues.
"They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading.
"Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace.
"As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95."
The company’s findings recommend that firms should discover how many old versions of Java they are running, whether they are needed, and to address the issue with a security solution.