Cybercriminals are reportedly selling details of a 0-day security hole in the latest version of Oracle’s Java, specifically the MidiDevice.Info component that handles audio input and output, for five figures. The flaw lets an attacker take control of your system if you are running Java 7 Update 9 or any previous version (although Java 6 is not affected in this case, it has many other flaws).
KrebsOnSecurity has the details:
“Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,” the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. “I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.” The seller was not terribly specific on the price he is asking for this exploit, but set the expected offer at “five digits.”
The only good news here, and there isn’t much, is that this vulnerability does not yet appear to be in the wild. As a result, Oracle could potentially have it patched soon, if the company manages to find the bug in question, or someone tells them about it. Unfortunately, given Java’s track record, and its company’s slow response to plug security holes, we’re not holding our breath.
Our advice to users remains the same: regardless what browser you’re using, uninstall Java if you don’t need it. If you do need it, use a separate browser when Java is required, and otherwise disable Java in your default browser.
We have contacted Oracle about this issue. We will update you if we hear back.
Image credit: Darren Deans