This article was published on January 16, 2013

Less than 24 hours after last patch, criminals were selling a new Java exploit for $5,000 per buyer


Less than 24 hours after last patch, criminals were selling a new Java exploit for $5,000 per buyer

Here we go again? On Sunday, Oracle released Java 7 Update 11 to address a recently disclosed security vulnerability which allowed attackers to execute malicious software on a victim’s machine. On Monday, criminals in the Underweb were reportedly selling an exploit for a different 0day vulnerability (previously unknown and thus which doesn’t have a patch) in the latest version of the software.

An administrator of an unnamed exclusive cybercrime forum posted a message saying he was selling the exploit code for the unpatched flaw to two buyers at $5,000 apiece and had already sold it once to another party. Here are parts of the alleged message, courtesy of KrebsOnSecurity:

New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.

The last security hole became a hot issue after it was discovered it had been exploited in the wild and made available in common exploit kits. This one is apparently not yet part of any kits, although the seller has promised source code versions of the exploit.

While we have yet to hear of this latest vulnerability being exploited, if it’s a legitimate one, it likely will be, though not necessarily broadly. Still, our advice remains the same: if you don’t need Java, uninstall it.

We have contacted Oracle about this alleged flaw in Java 7 Update 11 and below. We will update this article if we hear back.

Image credit: Marcin Krawczyk

Get the TNW newsletter

Get the most important tech news in your inbox each week.