Recently, Oracle issued security update for 21 critical vulnerabilities associated with Java SE and Java for Business. 19 of the 21 critical vulnerabilities may be remotely exploited by attackers by evading authentication requirements of entering username and password.Oracle uses Common Vulnerability Scoring System (CVSS) to rate the severity of vulnerabilities. Usually, ethical hacker certified professionals identify the vulnerabilities. In this case, the vulnerabilities were identified by security professionals affiliated to Tipping Point, Google and IBM among others. The updates may be downloaded from the company’s website.
Eight vulnerabilities were rated 10.0, two were rated 7.6 and 4 carried a rating of 5.0. 12 of the vulnerabilities patched affect client deployment of Java and could be exploited by untrusted Java web start applications and untrusted applets run in the sandbox. The untrusted applications and untrusted applets have limited privileges in the sandbox. 3 of the vulnerabilities patched affect client and server deployment and may be exploited through untrusted applications, untrusted applets and providing data to Application Programming Interfaces (APIs). One of the vulnerabilities patched affects client deployment of Java for systems using Java Update supported by Windows Operating System. Three of the vulnerabilities affect server deployment of Java and may be exploited by providing data to APIs. One of the vulnerabilities patched may be exploited when a user runs a standalone application and affects client deployment of Java.
Users must immediately apply the security patches to prevent exploitation of vulnerabilities associated with the applications by attackers. Lack of IT security awareness among users is one of the major causes for non-application of patches. Online computer training and video clips may be used to create awareness among the users on prevalent security threats and the significance of appropriate and timely patch application.
Exploitation of vulnerabilities by attackers may affect confidentiality, integrity and availability. Hiring professionals holding IT security certifications may help organizations in timely identification and application of appropriate security patches. Oracle will release the next regular critical patch updates for Java SE and Java for Business in the months of June and October.
EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.
EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted security conferences.
# # #
iClass is EC- Council's online training delivery platform. Students can attend live, or recorded training sessions for courses such as Certified Ethical Hacker (CEH), Certified Security Analyst (ECSA) or Computer Hacking Forensic Investigator (CHFI).