Here we go again? On Sunday, Oracle released Java 7 Update 11 to address a recently disclosed security vulnerability which allowed attackers to execute malicious software on a victim’s machine. On Monday, criminals in the Underweb were reportedly selling an exploit for a different 0day vulnerability (previously unknown and thus which doesn’t have a patch) in the latest version of the software.
An administrator of an unnamed exclusive cybercrime forum posted a message saying he was selling the exploit code for the unpatched flaw to two buyers at $5,000 apiece and had already sold it once to another party. Here are parts of the alleged message, courtesy of KrebsOnSecurity:
New Java 0day, selling to 2 people, 5k$ per person
And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.
Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.
The last security hole became a hot issue after it was discovered it had been exploited in the wild and made available in common exploit kits. This one is apparently not yet part of any kits, although the seller has promised source code versions of the exploit.
While we have yet to hear of this latest vulnerability being exploited, if it’s a legitimate one, it likely will be, though not necessarily broadly. Still, our advice remains the same: if you don’t need Java, uninstall it.
We have contacted Oracle about this alleged flaw in Java 7 Update 11 and below. We will update this article if we hear back.
Image credit: Marcin Krawczyk