Guess who hasn't patched the Java security hole?

It has now been more than a week since Oracle released a monster security fix for Java, or 29 security fixes within a Critical Patch Update across Java SE and Java for Business products to be precise. Which leads me to the question posed in the title of this missive, the answer to which is almost certainly "me" or rather you as I am one of the paltry 7% which has already applied the fix. At the risk of repeating myself, I shall repeat myself. Only 7% have applied the critical patch.

According to Trusteer, 68% of Internet users are still at risk from the attacks that these Java vulnerabilities expose and goes as far as to claim that it has become the single most exploitable vulnerability on the web today. Not that Trusteer CEO Mickey Boodaei is exactly backwards in coming forward with a very loud security soundbyte at every given opportunity, but on this occasion I would have to say he has a point. "Java is" Boodaei states "a ubiquitous technology installed on virtually every computer in the world" and that makes it one of the most sought after platforms when it comes to malware distribution.

"The spike in Java exploits shows every sign of continuing" Boodaei warns, adding that "the fact that the time between an exploit being discovered and then being used by hackers in the real world is shortening is of great concern". So why are so few of us, sorry I mean you, updating your systems with this critical patch? Could it be that Oracle itself is to blame in not distributing the patch efficiently enough? Boodaei suggests that to be the case, arguing that Oracle is facing some major security challenges, not least the software update mechanism itself.