More Java versions on endpoints and More risks for enterprises

According to the result of Bito research ,Java is a significant security risk to enterprises because it is the endpoint technology most targeted by cyber attacks,

Company's threat research team observed Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide, and identified most of risks due to outdated versions of Java with many known vulnerabilities that remain widely deployed by many businesses.

Among the things discovered are that:

Most organizations has more than 50 versions of Java installed across all of its endpoints.
  5 %  of those enterprises have more than 100 versions of Java installed.
    Most of the endpoints have multiple versions of Java installed, in part because the Java installation and update process often does not remove old versions.
    Attackers can easily determine what versions of Java an enterprise is running and target the oldest, most vulnerable versions.
    The popular version of Java running on more endpoints analyzed by Bit9 is version 6 update, which is present on 9 percent of all systems and has 96 known vulnerabilities of the highest severity.
 And also Less than 1 percent of enterprises are running the latest version of Java.

“For the last 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues."

They have been told that to improve security, they should continuously deploy Java updates on all of their endpoints. But in real they need to upgrade java not update, updating is not the same as upgrading. Until , those updates have failed to deliver the promised security upgrade because they have not removed older, highly intensed or vulnerable versions of Java they were intended to replace.

The company also found that it is fairly easy for attackers to target older versions of Java without the enterprise even realizing it. 82% percent of the analyzed endpoints are running the version 6 series of Java, which has the most known reported vulnerabilities.
Enterprise should concern about these old versions, if these are not used in their business then they should use a security check.

Expert says Oracle's latest Java 7 update,has some sandbox-bypass bugs.

After a week of Oracle's Java 7 update 11 to patch or mitigate two zero-day vulnerabilities in Java that were being actively exploited by attackers, expert Java bug hunter Adam Gowdiak of Security Explorations in Poland discovered two new insects in Java standard edition.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," wrote expert Adam Gowdiak in a post to the Full Disclosure mailing list. As a result, any attacker who used the bugs would be able to craft malware that tapped the JRE, thus fully compromising a vulnerable system.

Moreover, the two newly discovered bugs have nothing to do with Oracle's partial patch of the "MBeanInstantiator" flaw. This was announced by Oracle via changing the default Java security setting from medium to high, which also requires that an unsigned Java Web apps be authorized by a user before being allowed to run.The "MBeanInstantiator bug (or rather a lack of a fix for it) turned out to be quite motivational for us," said Gowdiak. "But, instead of relying on this particular bug, we just decided to dig our own issues. So, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."