A recent Websense study that examined which versions of Java are being used across tens of millions of endpoints found that only about 5 percent of those studied are using the latest Java Runtime Environment, version 1.7.17 (h/t The Register).
According to the researchers, the vast majority of versions in use are months and even years out of date.
The Cool Exploit Kit leverages Java vulnerability CVE-2013-1493, to which fully 93.77 percent of endpoints studied were vulnerable, and Java vulnerability CVE-2013-0431, to which 83.87 percent of endpoints studied were vulnerable, among others.
"Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers," Websense vice president Charles Renert writes in a blog post. "Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75 percent using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50 percent of browsers are greater than two years behind the times with respect to Java vulnerabilities."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Most importantly, Renert notes, the 78.86 percent of endpoints that aren't using version 7 will not be receiving any further updates from Oracle.
"It's clearly not just the zero-day attacks that should be getting all of the attention," Renert writes.