The problem with having multiple versions of Java installed at the same time on a system is that attackers can target the older and vulnerable versions to hack into that computer. Once that happens, the security of the newer Java versions doesn't help.
Code that enumerates all Java versions installed on a system for reconnaissance purposes has already been seen in real attacks, Bit9 said in the report.
Having different Java versions on a system increases usability because customers can run legacy applications, but from a security perspective it's a nightmare, Sverdlove said. Every version that is installed introduces yet another set of known vulnerabilities that attackers can target, he said.
Sverdlove compared the situation of companies running five-to-10-year-old versions of Java to running Windows 95. This practice might be convenient for compatibility reasons, but it's a horrible security risk, he said.
In most cases, this kind of Java version fragmentation inside enterprise environments is probably not even intentional, as many companies don't understand or keep track of how many versions they have installed, Sverdlove said.
First and foremost, organizations should get an assessment of what Java versions they have in their environments and where, Sverdlove said. The next step should be for them, as a matter of security policy, to stop and seriously consider whether they need Java, and if they do, for what purposes, he said.
The results of this assessment will vary among organizations, Sverdlove said. Some companies might find that a particular version of Java is needed to run legacy applications, but only on certain computers. Others might discover that certain websites that require Java work with the latest version of the software, and some might find that Java is only needed on their servers and not on desktops, he said.
Regardless of their individual Java needs, organizations should create a Java deployment policy and enforce it, Sverdlove said. If their policy is to not have Java, then they should use tools to block it from running; if they determine that they only need Java on certain machines, then they should remove it from all other machines, he said.
The most common way for hackers to attack Java installations is through the software's Web browser plug-ins by using exploits hosted on websites.
The Bit9 report did not contain specific information about how many of the Java installations identified on enterprise endpoints were accessible through the Web browsers on those computers. However, the majority of the sampled endpoint systems were desktops and laptops, so the likelihood of those Java installations being exposed to Web attacks is high, Sverdlove said.