Java's security dilemma: Old, vulnerable versions won't go away
Users of Java are caught between a rock and a hard place. They often need an older version of Java to run their applications, but those aged releases are susceptible to security breaches, which have plagued Java in recent years. Java accounted for 91 percent of Web exploits tallied -- and 14 percent of all successful PC exploits -- in Cisco Systems' recent 2014 Annual Security Report, far outpacing Adobe Flash and PDF documents, the other major "popular vectors for criminal activity," the report states. Specifically, Java on the client is the problem.
Oracle, which oversees Java, has stressed a need for users to upgrade to the latest version of Java to fend off security problems. Cisco also sees a benefit in upgrading to the latest Java version. If only it were so easy.
An example of this dilemma is that 76 percent of companies using Cisco Web Security services are still running Java 6, which has reached its end of life and is unsupported. Because of application dependencies, many organizations have had no choice other than to stick with older Java versions despite the security risk they pose, therefore having to run, troubleshoot, and support multiple Java versions.