back to article Biz bods STILL don't patch hacker's delight Java and Flash

A whopping 81 per cent of businesses run outdated Java while two in five (40 per cent) have not updated Flash, according to the latest figures from net security firm Websense. Websense warns that failing to apply patches that address vulnerabilities in hacker favourites such as Flash and Java leaves these business at risk of …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Businesses don't want security

    By the second or third time a routine security update to IE, Flash, or Java or whatever has been blamed for some failure of a crappy website or application any good intentions to do right by one's employer are at breaking point.

    I can see why some people would just not bother.

    1. ecofeco Silver badge
      Facepalm

      Re: Businesses don't want security

      POTD.

      Upvoted.

      (hell, I've even been blamed for the breakage at which point I have to find a very diplomatic way of saying their custom software is bollocks and always was. Remind me to tell you a little story about HTML and email, sometime)

  2. HMB

    Regarding the Title

    >Biz bods STILL don't patch hacker's delight Java and Flash

    >I said a patch Flash, or hacks unlatch, snatch data to the rhythm of the boogie, the beat

    Has there been some sort of serious outbreak of a poetry related disease or contagion at The Register HQ? If so have the authorities been alerted?

    If biological weapons have been used I do hope France doesn't invade.

    1. Frumious Bandersnatch

      Re: Regarding the Title

      Has there been some sort of serious outbreak of a poetry related disease

      You don't seem to know [Grandmaster] Flash, do you? For shame :)

  3. Badvok
    Childcatcher

    Last time my daughter updated Flash it installed a horrendous trojan that stopped backups working (McAfee or something).

    1. ecofeco Silver badge

      "Last time my daughter updated Flash it installed a horrendous trojan that stopped backups working (McAfee or something)."

      This is sarcasm, right?

    2. Tim Jenkins

      Probably not Flash, but may well have been Shockwave; the full version of the installer STILL installs other software by default (either Norton Security Scan or Chrome at the moment, but it varies over time).

  4. Miek
    Linux

    "What you see is not a test, I'm patching to the beat ..."

    1. yomchi86
      Thumb Up

      lol Sugarhill Gang FTW - I was wondering if anyone would pick up on that....

  5. DJV Silver badge
    FAIL

    Java and Flash

    The sooner both of them are completely replaced in the browser by HTML 5, the better.

    1. ecofeco Silver badge

      Re: Java and Flash

      I agree, but how many years have we been waiting for ratification of HTML 5?

      I'm not holding my breath.

  6. Steve Crook
    Headmaster

    while two in five (40 per cent)

    Really....

    1. Miek
      Linux

      Re: while two in five (40 per cent)

      100/5 = 20 ... 2x20 = 40

      So, yes, really!

  7. Erik4872

    No choice sometimes

    I do systems integration work, my focus is on client systems, and I see this all the time. Often, there is very little choice in the matter, especially in industry sectors with a lot of specialized applications running on people's desktops and in their browsers.

    This is the same thing that's keeping corporate environments on XP and IE 6 despite pleas from everyone to get off. Actual examples from my work-life:

    - Oracle had a "special" JRE called JInitiator around 2001 or so that has to be installed to work with old versions of its Financials and other Oracle Forms based apps. Businesses can't justify paying Oracle $xxM on top of their already high license maintenance fees to upgrade to versions that don't need it, so the client piece stays. Worse yet, these are modified copies of JRE 1.3x/1.4x from Sun with a different GUID compiled in, and they need to run in the browser.

    - Big consulting shops whip together garbage Java or Flash applications that become core pieces of the business. And oh yes, it only runs with the specific quirks of IE 6 SP1 combined with JRE 1.4.2. Want it to support modern browsers/Java? That'll be $10M to rearchitect it please...

    - Small consulting shops or internal employees write these same garbage apps and then die, quit or go out of business. We'll get around to replacing that in 2017...

    - Even big commerical applications, just not stuff aimed at the consumer, have huge dependencies on old Java and Flash, and if you run it in the browser, you're vulnerable.

    There's a huge industry around app virtualization software just to "solve" problems like this. A lot of it might be inertia, but trying to do regression testing in even midsize companies where hundreds of applications could be running on desktops together...it's messy.

    It's easy to say, "Well, The Cloud will solve all your problems." But anyone who says that has listened to their cloud salesmen a little too much or doesn't know what actually goes on under the hood to get these software packages working together...

    1. ecofeco Silver badge

      Re: No choice sometimes

      Exactly. Seen all that and then some.

    2. Anonymous Coward
      Anonymous Coward

      Re: No choice sometimes

      "I do systems integration work, my focus is on client systems, and I see this all the time. Often, there is very little choice in the matter, especially in industry sectors with a lot of specialized applications running on people's desktops and in their browsers.

      This is the same thing that's keeping corporate environments on XP and IE 6 despite pleas from everyone to get off. Actual examples from my work-life:"

      This. Other classic offenders are customised versions of SAP. Anonymous, because I don't feel like advertising weakness.

  8. Dan Paul

    It's the program updater!

    The problem comes from the software's updater not just the user's laziness. Many business users are unable to update software due to overzealous install permissions. Flash would be able to be automatically updated if Adobe weren't such absolute dicks about making you download the whole frigging file everytime and do a full install versus an update.

    Don't get me started about unnecessary foreign language packs and other crap that is in that file.

    Any software manufacturer (Free or Not) that does not provide simple incremental updates should not be allowed to exist.

    Oracle (are reading this you devious little cocksuckers?) are counting on you to slip up and install some godforsaken, misbegotten ASK toolbar crap and steal your browser/homepage etc just to get JAVA.

    So Adobe and Oracle DELIBERATELY compromise the safety and security of their own software. Google is getting to that point right now with their abuse of their search engine. When I say I don't want you to change my homepage, I mean NO and I don't want you to ask me ever again. Good luck finding and fixing any Google setting unless you want to give away the farm and all your info.

    I fully agree that the sooner we see HTML5 take this crap over, the better we will all be. Let's make sure that H.265 codecs are more robust and also provide more open communication for video camera encoding/decoding/operation as well as cute kitty video playback

    The cloud will not solve ANY problems, it will ONLY exacerbate them as there will be way more internet traffic that can be compromised by malware or poor latency.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's the program updater!

      I update Java BY HAND in our small business, because the installer requires a new firewall rule for EVERY SINGLE UPDATE. Or I could just disable the firewall...

  9. Infernoz Bronze badge
    Meh

    Only latest JRE should be allowed in browers

    I have various Java SDK on my dev box, because the developers of some software I develop against are too damned slow to get up-to-date (and not just for Java!), and the customers can be years worse; however I make sure that only the latest Java 1.7 JRE is installed and that none is present for earlier versions.

    I think the Firefox policy is correct, because Oracle are too damned slow to fix issues in Java, so it only currently allows Java applets to run when the user says yes, to a prompt.

    Oracle may not have liked fixing 1.5 and 1.6; however they damned well should, because a lot of businesses can't move off them yet, due to Suns' huge gap between versions(!), because the current software has to run correctly on the new versions, and it can break because Sun made some stupid, non-switchable, cross-version changes, and didn't backport enough fixes!

  10. Anonymous Coward
    Anonymous Coward

    Complaince

    If you buy software and it is certified on version 1.6.0_20 or whatever, that is what you run on. You **CANNOT** upgrade until the vendor re-certifies. And that probably means an upgrade. Which probably means paying. It certainly means a full re-test to ensure compliance.

    So it can be the case that no matter how much the enterprise user may wish to upgrade, they can't.

    And this is why all Java applications should be firewalled to hell and, preferably, run off in their own little DMZ. Keep that shit (and it is shit) off the main network.

  11. Tom 13

    ...rarely needed to use most websites. Despite this advice, ...

    Please engage your brain before writing this kind of nonsense.

    Businesses are engaged in the process of making money. They have no interest in deploying software for which they have no need. If Java is deployed, there's a pretty good chance they need it. If the browser helper is installed, there's an even better chance they need that too. No, it's not going to be for a public facing website. It's going to be one of their intranet sites, which probably also generates one of those invalid certificate errors* every time you visit it as well.

    Erik posted a good start on reasons why businesses behave this way.

    *Yes it's that time of year for me to be annoyed about this again. Because once again, the very first thing I had to do before taking the mandatory IT Security Awareness course was ignore one of those errors.

This topic is closed for new posts.

Other stories you might like