TNW Conference 2022 will be bigger, bolder, and better! Get your tickets now >>

The heart of tech

This article was published on November 27, 2012

    Security hole in latest Java lets attacker remotely seize control, exploit on sale for five figures

    Security hole in latest Java lets attacker remotely seize control, exploit on sale for five figures
    Emil Protalinski
    Story by

    Emil Protalinski

    Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, incl Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, TechSpot, ZDNet, and CNET. Stay in touch via Facebook, Twitter, and Google+.

    Cybercriminals are reportedly selling details of a 0-day security hole in the latest version of Oracle’s Java, specifically the MidiDevice.Info component that handles audio input and output, for five figures. The flaw lets an attacker take control of your system if you are running Java 7 Update 9 or any previous version (although Java 6 is not affected in this case, it has many other flaws).

    KrebsOnSecurity has the details:

    “Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,” the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. “I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.” The seller was not terribly specific on the price he is asking for this exploit, but set the expected offer at “five digits.”

    The only good news here, and there isn’t much, is that this vulnerability does not yet appear to be in the wild. As a result, Oracle could potentially have it patched soon, if the company manages to find the bug in question, or someone tells them about it. Unfortunately, given Java’s track record, and its company’s slow response to plug security holes, we’re not holding our breath.

    Our advice to users remains the same: regardless what browser you’re using, uninstall Java if you don’t need it. If you do need it, use a separate browser when Java is required, and otherwise disable Java in your default browser.

    We have contacted Oracle about this issue. We will update you if we hear back.

    See also – Security companies are recommending you disable Java, or just uninstall it and Mozilla joins the chorus, tells Firefox users to disable Java due to security hole

    Image credit: Darren Deans

    Get the Apps newsletter