【正文】 asy for home users to upgrade their Windows OS overnight, but it often takes corporations years to plan for and implement such a move.This fact has led to products, such as the opensource JavaRa tool, whose sole purpose is to help users deal with the problem of identifying and removing old versions of Java. While these products will mitigate some percentage of attacks, many users will not understand the warning and may choose to allow the code to execute under the old vulnerable version. In addition, socalled ‘click bypass’ vulnerabilities often are discovered in Java, allowing attackers to prevent the mitigating interactive messages from ever being seen by the user.In July 2013, a vulnerability was found that affects Java major version 7 update 21, the newest version as of Bit939。s data collection, as well as earlier versions. This vulnerability allows for attackers to bypass the Java click2play security warning dialogue box without user interaction. According to Packet Storm, this means that attackers can still target an older version on an endpoint, without user notification. The latest version at the time of Bit939。s research, Java 7 Update 25, goes further and will not allow users to select older versions to run against. It remains to be seen if clickbypass vulnerabilities bee more difficult to uncover, however.ConclusionFor the past 15 years or so, IT administrators have been under the misperception that updating Java would address its security issues. They have been told that to improve security, they should continuously and aggressively install Java updates on all of their endpoints. Unfortunately, installing is not the same as updating. Until very recently, those installations have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95.Not only is Java widely installed in most enterprises, in most instances it is highly vulnerable. Java continues to be a required technology for many panies, but its ubiquity seems to be out of proportion with its current business use cases. Some enterprises appear to be choosing to remove Java from their environments, and the facts revealed in Bit939。s research underscore the rationale for doing so.It39。s not surprising that most panies are unaware of all the versions of Java on their systems. Most organisations have no idea what39。s running on their endpoints and servers – they lack visibility into those systems. And traditional security solutions, including antivirus, can39。t protect them from modern threats. While the industry appears to be making efforts to mitigate some of the issues that have brought us to where we are today, those efforts will have little impact on remediating the current situation. Traditional security solutions can39。t necessarily protect organisations from all modern threats.Recent highprofile attacks continue to demonstrate that enterprises should view Java as a major security risk. Enterprises can benefit from better characterising and understanding the applications running on the endpoints in their environment, so they can evaluate the risks to those endpoints and more effectively prioritise remediation efforts. Moving forward, realtime visibility and protection for endpoints and servers will be essential