Only 19% of Windows-based computers ran the latest version of Java in August 2013, according to research by Websense Security Labs.
This means that over 80% of Java requests are susceptible to two new Java exploits. With 84% of enterprise browsers being Java-enabled, this is a troubling statistic, the report said.
The research also found that nearly 40% of users are not running the most up-to-date versions of Flash, while 25% of Flash installations are more than six months old. And close to 20% are one year outdated.
Carl Leonard, senior security research manager EMEA at Websense told CBR that often the problem can lie with the end user. "Unfortunately end users can often be considered as one of the weaker links because they don't have all of the facts available to them, so they don't know if it's a good idea to apply an update or not," he said.
Cybercriminals are therefore exploiting the lack of updates to target Jive with malicious malware to extract data from companies. This data can then be used to advance further attacks or sold on.
It can also be an issue for IT departments within enterprises, as they may have a patch management process that takes the patch from Java or Flash to check that it doesn't cause any inadvertent problems within the enterprise before they roll it out.
"The IT admins of this world are trying to protect their organisation because these guys know that security issues are fixed by these patches and they want to apply the patches, but it's very difficult to do so," said Leonard.
Websense Security labs are finding more threats than ever before.
"The findings of our annual threat report shows that the number of attacks we find increases every year. We are always finding new ways to detect the attacks but the sheer volume of stolen data that is being trended is indicative of the danger to enterprises in the current climate because of the popularity of malicious code," explained Leonard.
"Enterprise companies in particular must be proactive in dealing with the threat as patch management (and most security controls) are struggling to help the majority of today's businesses. Without real-time inline security protection, business-critical applications will continue to remain vulnerable to these exploits."