It was well into the afternoon before Oracle today released the significant group of security patches it pre-announced last week. Of the 40 patches in this update, fully 37 of them "may be remotely exploitable without authentication." However, evidence suggests most enterprises weren't drumming their fingers with impatience.
Odds are, in fact, most organizations will ignore this patch. Despite the release of a new version of Java with updated security features along with a Java patch update made available in mid-April, a Web security firm found nearly 93% of Java users remain unpatched to that version of the software.
Websense Inc. said Oracle's Critical Patch Update, released on April 16, included 42 new security fixes covering Java SE products. Of these, Oracle said 39 of the vulnerabilities could be remotely exploited without authentication; two are applicable to server deployments of Java.
Two days after the release, Websense reported less than 2% of users had adopted the Java patch update, known as Java SE Version 7, Update 21. One month into the release, Websense said the number of live Web requests using the most recent version of Java was a mere 7%.
"This leaves the majority of users still vulnerable to the dangers of exploit code already in use in the wild," Websense said in a June 4 blog post.
The San Diego-based company said its ThreatSeeker Network was used over the last seven weeks to track usage of the most recent version of Java. The tool collects content contained within webpages, documents, executable files, mobile applications, streaming, social media and emails.
As word of the Java patch update's availability spread via word of mouth and through Oracle's Java Auto Update, Websense said, "We've noted that some organizations [were] then willing to apply the patch." Still, 92.8% of Java users remain vulnerable.
Analysts said the ideal solution would be for companies to disable Java within the browser. "The challenge there is that many [organizations] don't even know what applications actually require Java to run, and disabling this would cause many apps to no longer function," noted Rick Holland, senior analyst for security and risk management at Cambridge, Mass.-based Forrester Research Inc. "Taking the time to take a full inventory of their application portfolio requires operations cycles that many companies don't have."
These operational challenges are among the reasons for delayed deployment of Java patch updates, Holland added. "Many companies have relatively mature patch and configuration management programs when it comes to the Microsoft suite of products, but once you start moving beyond these to third-party apps, the operational challenges become more acute," he said.