According to new research from Kaspersky Lab, in the form of a report called Evaluating the threat level of software vulnerabilities, 72% of Java users haven't switched to the latest, safest, version despite highly publicised vulnerabilities and resulting security exploits.
And it's not just Java, the report also shows that users of older versions of Adobe Flash Player and Adobe Reader are also failing to upgrade to safer versions, leaving their systems and their data at potential risk of breach.
Researchers looked at the most dangerous vulnerabilities (those known to be actively exploited by cybercriminals) found in assorted programs during the last year, and analysed the enthusiasm with which users were upgrading to the safer updated editions once they were made available. The unsettling result was the discovery that for a large number of people the older, unsafe and often obsolete, versions of popular software applications remain installed on "a significant number of PCs" for "months and even years".
Here are the key points of the Kaspersky Lab paper:
Data analysis from more than 11 million users was used to reveal more than 132 million vulnerabilities, with an alarming average of 12 vulnerabilities per user.
In total more than 800 specific and different vulnerabilities were discovered, and of these a miniscule 37 were found to be present on at least 10% of computers for one week or more during 2012. Yet these same vulnerabilities incredibly accounted for a massive 70% of all the detected software flaws. Of these 37, only eight were found to be used in the most common exploit packs used by cybercriminals: Java was the most prevalent with five vulnerabilities, two were in Adobe Flash Player and one in Adobe Reader.
Adobe Shockwave and Flash Player, Apple iTunes/QuickTime, and Java were identified as the software packages with the highest number of frequently found software vulnerabilities.
Some six weeks after the latest version of Java was made available (during September-October 2012), it was found that a disappointing 28.2% of users had upgraded to the safer version. More than 70% left their system vulnerable to Java exploits by not updating the software.
An obsolete 2010 version of Adobe Flash Player that could easily be exploited was found on an average of 10.2% computers, and a vulnerability discovered in Adobe Reader in December 2011 was found on 13.5% of computers.
"What this research reveals is that releasing a fix for a security loophole shortly after discovery is not enough to make users and businesses secure" says Vyacheslav Zakorzhevsky, a vulnerability research expert at Kaspersky Lab, who continues "inefficient update mechanisms have left millions of users of Java, Adobe Flash and Adobe Reader at risk. Companies should take this problem very seriously, as security flaws in popular software have become the principle gateways for a successful targeted attack."