You may be tempted to keep various versions of Java running on your systems, but doing so leaves you exposed to security threats There’s no denying the popularity of Java, as evidenced by its ubiquity on home and work systems worldwide. But it’s easy for computers — both in homes and at organizations — to have multiple versions of Java installed, thus exposing those systems to security exploits. IT admins need to do a better job of closing those holes. One critical step, which I’ve recommended for years, is for admins and users to update to the most recent version of Java (applications permitting) and to remove all other existing versions.Java’s security shortcomings are well documented. It, along with Adobe products, made up all top 10 successful exploit spots last year, according to Kaspersky. What’s more, Microsoft’s Security Intelligence Report 11 noted that Java was “responsible for between one-third and one-half of all [recent] exploits.” Over the past six months, I’ve found Java to be the most common exploit vector in all the cases I’ve personally investigated. Even Oracle recommends that customers remove old versions of Java and use only the latest patched versions.[ InfoWorld’s Paul Krill reveals why Android has helped Java remain so popular, as well as what Java 7 has in store for developers. | For more news and insights on using Java, subscribe to InfoWorld’s JavaWorld Enterprise Java newsletter and visit our sister site JavaWorld.com. ]Three factors contribute to Java’s unenviable “use with caution” status: First, Java is cross-platform. Almost every computer, regardless of OS, runs it. That makes it a juicy target for hackers. Second, many computers contain multiple versions, usually unbeknownst to the user. Third, at least one of those versions is unpatched. Java links can contain software that easily check for which versions a client browser is running; within a few seconds, a malicious program can hone in on an old, unpatched version. Removing all old versions of Java and running only the latest, patched versions is easier said than done. For one, new Java installs don’t necessarily uninstall the older versions automatically. That’s because some Java applications require specific versions in order to run. I’ve had clients with 5 to 10 different versions of Java installed, and they were scared to remove a single version for fear of breaking something.In most cases, Java applications will work with any version of the software. It’s just that no one has time to test it. If you’re running apps that don’t play well with the newest versions of Java, they probably need fixing ASAP. To get started in purging old versions of Java from your systems, you can check which versions you have installed and where using any software inventory program or patch checker. My favorite software patch checks are Secunia’s CSI, PSI, and OSI programs. You can also simply check Add/Remove Programs in Windows (or Programs/Uninstall a Program in Windows Vista/Server 2008 and later). For more guidance, check out Microsoft Principal Consultant Aaron Margosis’s recent blog entry about Java.IT shops should make a Java (legacy version) eradication program a top priority. While you’re at it, look for duplicate, older versions of Adobe Flash and Adobe Acrobat Reader. Those two other apps round out the top 10 client-side successful exploits. Want good bang for your buck? You got it.This story, “Old Java versions breed new security exploits,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe