Despite the widespread and well-publicised exploitation of vulnerabilities in Java, large numbers of organisations continue to use versions that are weeks, months or even years out of date, a Websense survey of its customers has reported.

Collecting data from millions of endpoints, Websense discovered an amazing degree of fragmentation of Java clients, with three quarters using a Runtime that was at least six months out of date.

Drilling down again, two thirds were half a year out of date and half more than a year behind, a degree of vulnerability that would make such PCs easy meat for even non-targeted attacks using common Java exploits.

A quarter were more than four years out of date, as good as saying these endpoints will probably never receive a Java update.

Only one in twenty were detected to be running the latest Java version.

Plotting this against known exploits in malware toolkits, Websense found that 94 percent of endpoints were vulnerable to the most recent example, CVE-2013-1493. Three quarters were vulnerable to CVE-2012-5076 from last November.

“This means that more than 77 per cent of users (based on requests from our research) are currently using Java version that are essentially end of life and will not be updated, patched or supported by Oracle,” said Websense.

If one takes Websense’s figures at face value, there are actually two problems with Java.

First, a surprisingly large number of users aren’t being patched at all. Second, even those who do are finding it hard to keep up with the inexorable cycle of updates.

The situation is now so bad that many security experts recommend that consumers and businesses simply ditch Java altogether, or look to do that as soon as is possible.

There seem to be no easy way out of this impasse. Oracle has been encouraged to add new security features such as application whitelisting but this wouldn’t solve matters for the large population of holdouts.