Enterprises are still ignoring the threat posed by out-of-date versions of Java, with barely one in five running the latest version during August, security firm Websense has reported.
After running traffic through the firm's ThreatSeeker Intelligence Cloud, an incredible 40% of Java requests were found to be from Java 6 Standard Edition (SE), succeeded by Java 7 SE more than two years ago. Java 6 support ended in April 2013.
Some might have continued to run this for compatibility reasons for a time, but ignoring the issue would now be leaving them open to a range of serious exploits.
The general tendency not to update meant that 81% of browsers were now vulnerable to two recent vulnerabilities in particular, CVE-2013-2473 and CVE-2013-2463 from June this year, for which there were working exploits, Websense said.
Overall, Java remains popular among enterprise users, Websense found, with 84% of browsers and clients enabling it. One positive trend was that IT departments had at least increased the level of updates to Java 7.
"Java has become a primary gateway for hackers to enter today's businesses and it's vulnerabilities are being commoditised in the latest exploit kits," said Websense senior research manager for EMEA, Carl Leonard.
"It is clear the cybercriminals know there is a Java update challenge for many organisations and thus they focus on exploits targeting both new and older versions of the technology."
Flash, too, remains an issue in many firms, with 40% of users not running the latest version, Websense found. Some 25% of installations were more than six months old, 20% around a year old and one in 10 two years old.
The Websense findings concur with the general picture offered by every other survey on the subject of updating. In July, Bit9 discovered much the same poor levels of updating, with Java 6 still very popular and usage levels just over 80% for Java as a whole.