Websense have released a new report about users and their practices in patching Java vulnerabilities. Having the latest update for your web browser and applying OS patches will not make users safe from Java attacks as Oracle Java needs to be updated separately from other programs.
Researchers have found that:
- 2 days after the release of the patch, less than 2% of users had adopted Java SE Version 7 Update 21.
- After a full week, the average adoption of the newest version of Java was at less than 3%.
- 2 weeks after the newest Java version was released, the trend line had moved to a little over 4%.
- One month after release, the number of live web requests using the most recent version of Java was only around 7%.
Within one month after the release of Java SE Version 7 Update 21 that fixes 42 vulnerabilities 93% of Java users are still exposed to the active exploits. This includes 39 of the 42 bugs that can be exploited remotely using Metasploit module.
Oracle is planning to release a Critical Patch Update for Java SE on June 18, 2013 so make sure to plan and apply the security patches. While it is better that you disable Java in the browser and if Jave is required user may activate the click-to-play functionality in browsers.