IT pros know one of the key steps that can help prevent security breaches is making sure all software is up to date. However, many businesses are behind the curve when it comes to software patches, a new report says.
The past year has been eventful for the Java platform, as several rounds of highly critical bugs have been found and patched, with some of the vulnerabilities staying open for significant periods of time.
Last year, a serious Java security vulnerability was discovered. The discovery was followed by an emergency patch from Oracle which was later found to be incomplete, and in fact, had opened up a brand new flaw.
Then in early 2013, a critical zero-day vulnerability was discovered, and Oracle released a software patch. However, security researchers soon discovered that the update only fixed one of two major vulnerabilities.
At that point, some security experts argued that Java is too risky and organizations should disable it completely. Even as bugs are patched, new ones are sure to be found, and hackers will continue targeting those vulnerabilities.
Most systems unpatched
Sure enough, in April Oracle released another software patch that fixed a total of 42 vulnerabilities.
But despite the scope and importance of that and previous updates, many businesses are still running outdated versions of Java, according to a recent report from Websense Security Lab.
Among the more than one billion endpoints monitored by Websense for its business customers, just 7% of the machines were running the latest version of Java. Moreover, 75% were running a version more than six months old and half were at least a year behind.
Experts say there are organizations haven”t kept their security patches up to date. The first is that many companies run software that”s dependent on certain versions of Java and installing updates would cause other problems. For those organizations, the best solution may be limit the use of Java to where it”s absolutely needed, especially on users” Internet-facing computers.
Another reason: When users are prompted to install a software patch, they”ll typically ignore it. Often, that”s because they”re afraid of installing anything on their own without IT. To help, IT can at least notify users when an update is important and should be installed.
And finally, in some cases administrative rights are needed to apply a software patch, and if the user doesn”t have those credentials, IT needs to be involved. But though it might be time consuming, applying the updates can protect the company from some serious security threats.