It’s long been known that Java and Flash are favored targets of attackers, thanks to their huge install bases and numerous security issues. And the users who are targeted by these attacks aren’t doing themselves any favors either, as new research shows that 19 percent of business users are running the newest version of Java, and about 25 percent of Flash users are running a version that’s at least six months old.
Those statistics, compiled over the course of four weeks in August by Websense, paint an ugly picture of the target environment for attackers. Browser plug-ins and extensions such as Java and Flash have become easy pickings for attackers due not just to their ubiquity, but also to the fact that many users fail to update them very often. Operating systems and browsers in most cases are set to update automatically, which takes most of the responsibility for security out of users’ hands. But that’s not usually the case with browser plug-ins. Users have to install new versions of those apps themselves, something that many users never bother with.
That lax attitude plays right into the hands of attackers, many of whom rely on exploits for older vulnerabilities that are patched in the most-updated version of a plug-in. However, attackers won’t ignore new exploits if they’re available. Lately, researchers have seen exploits for two newer Java vulnerabilities showing up in the Neutrino exploit kit.
“New Java exploits CVE-2013-2473 and CVE-2013-2463 are already making a big impact by targeting computers running outdated versions of Java. It’s clear the cybercriminals know there is a Java update problem for many organizations,” Matthew Mors of Websense wrote in an analysis of the trend.
“Forty percent of Java 6 users are vulnerable to these new exploits and there are no software patches in sight. Effective exploit kit delivery mechanisms, such as Neutrino, and unpatched vulnerabilities targeting Java 6 create a significant challenge for organizations that have not updated to Java 7.”
Security researchers have been highly critical of Oracle in the last few years for not paying more attention to Java security, but if users aren’t updating to the newest versions when they’re available, that’s adding fuel to the fire.
Flash users aren’t so swift at updating their software either, which is a major problem when you consider that Flash is installed on more computers worldwide than any other piece of software. The fact that almost 40 percent of Flash users are running older, vulnerable versions of the software makes life much easier for the attackers.