Some organisations have more than 50 versions of Java installed across endpoints according to research.
Java was the most targeted endpoint according to Bit9. It analysed a million endpoints at hundreds of enterprises worldwide and found five per cent of those enterprises have more than 100 versions of Java installed.
The average endpoint ran 1.6 versions of Java; Bit9 said that this was down to companies installing a new version and that will not always remove older versions of the software.
The most popular version of Java running on endpoints analysed by Bit9 is version 6 update 20, which is present on nine per cent of all systems and has 96 known vulnerabilities of the highest severity.
Bit9 chief technology officer Harry Sverdlove said old Java versions should be removed.
“Unfortunately, updating is not the same as upgrading. Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95.”
Similar research undertaken by Websense earlier this year found that 75 per cent of end-users are using a Java Runtime Environment release that is more than six months out of date, while almost two-thirds of users are a year behind and more than 50 per cent are two years behind.
It also found that two days after a critical patch update in April, fewer than two per cent of users had adopted Java SE Version 7 Update 21. Carl Leonard, senior security research manager, EMEA at Websense, told SC Magazine that this shows a continued pattern that even with best efforts businesses still struggle to apply patches in a timely fashion.
Sverdlove said that it was not surprising that most companies are unaware of all the versions of Java on their systems as most organisations have no idea what's running on their endpoints and servers as they lack visibility into those systems.
Oracle announced in June that it would begin to issue four annual security releases, as well as retain the ability to issue emergency ‘out of band' security fixes.