A recent Websense study that examined which versions of Java are being used across tens of millions of endpoints found that only about 5 percent of those studied are using the latest Java Runtime Environment, version 1.7.17 (h/t The Register).
According to the researchers, the vast majority of versions in use are months and even years out of date.
The Cool Exploit Kit leverages Java vulnerability CVE-2013-1493, to which fully 93.77 percent of endpoints studied were vulnerable, and Java vulnerability CVE-2013-0431, to which 83.87 percent of endpoints studied were vulnerable, among others.
"Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers," Websense vice president Charles Renert writes in a blog post. "Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75 percent using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50 percent of browsers are greater than two years behind the times with respect to Java vulnerabilities."
Most importantly, Renert notes, the 78.86 percent of endpoints that aren't using version 7 will not be receiving any further updates from Oracle.
"It's clearly not just the zero-day attacks that should be getting all of the attention," Renert writes.