Update, March 28, 3:48 p.m. ET: Marcus Carey, a security researcher at Rapid7, adds a bit more perspective on the severity of the situation with this exploit. He estimates that upwards of 60 to 80 percent of users probably are not yet patched
against this flaw. Here’s what he wrote:
Anytime an exploit, such as one for CVE-2012-0507, is added to mass exploit kits it goes from being a “hypothetical risk” to becoming a real risk. This particular exploit can be found in the widely used BlackHole Exploit kit.
Based on the Java patching habits of 28 million unique Internet users, Rapid7 estimates that 60-80% of computers running Java are vulnerable to this attack today.
Looking long term, upwards of 60% of Java installations are never up to the current patch level
. Since so many computers aren’t updated, even older exploits can be used to compromise victims.
Rapid7 researched the typical patch cycle for Java and identified a telling pattern of behavior. We found that during the first month after a Java patch is released, adoption is less than 10%. After 2 months, approximately 20% have applied patches and after 3 months, we found that more than 30% are patched
. We determined that the highest patch rate last year was 38% with Java Version 6 Update 26 3 months after its release.
Since this is only about a month since the patch was released (February 15), it’s likely that only approximately 10% of users have applied the patch.