Java security woes to stay with businesses for a long time

[Also see: Oracle speeds up Java patching cycle]

"Disabling Java in browsers would break access to these applications," said Chenxi Wang, an analyst for Forrester Research. "For that reason, not many have gotten rid of Java in their environment, despite the fact that Java has been the target of mass market malware exploits for years."

In addition, the technology IT administrators use for enforcing corporate policies does not include disabling or enabling Java for specific people in an organization. "This lack of enterprise controls is causing major heartburn for IT teams," said Andrew Storms, director of security operations for nCircle.

Besides not having an easy off-switch, some organizations are just plain slow at upgrading Java plug-ins. "Some have only just added it to their patching regimes,"said Glenn Chisholm, chief security officer of Cylance.

Many companies are starting to tackle the Java problem. Some are looking at application virtualization to provide Java in a browser for a single session, which is then destroyed and recreated when needed again, Chisholm said.