Java exploits sell for $5,000 on the Internet's seedy black market
As we wrote on Tuesday, at least one of two major security vulnerabilities in Java—which is installed on an estimated 850 million PCs worldwide—was not all fixed by Oracle’s subsequent update.
Now, Brian Krebs of Krebs on Security has discovered an exploit for one of those two zero-day vulnerabilities—which hackers can use to take over any machine with Java installed in its browser—for sale on a shady Internet forum specializing in illegal hacking.
“On Monday,” Krebs wrote, “an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.”
The post read, in part:
“And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.”
The exploits sold out quickly.
Paul Pajares, of Internet security firm Trend Micro, wrote on the company’s blog that they were made aware of malware disguised as Java Update 11. Although this malware does not exploit any Java vulnerability, it is clearly employing fear of that issue to snare the unaware.
Krebs believes the delivery vector itself, Java, is inherently unsafe to use on an “end-user PC” without isolating the program.
“I feel strongly,” he wrote, “that Oracle is an enterprise software company that.. suddenly found itself on hundreds of millions of consumer systems. Much of the advice on how to lock down Java on consumer PCs simply doesn’t scale in the enterprise.”
Ars Technica noted that a number of security companies believe Oracle is guilty of rushing out incomplete fixes to its vulnerabilities.
“Oracle seems to be sending a message that it doesn’t want hundreds of millions of consumer users,” wrote Krebs. “Those users should listen and respond accordingly.”
Photo by Sean Mulgrew/Flickr
Texans are adopting dogs in droves to rescue them from flooded animal shelters
Now this is Southern hospitality.47k
This photo of an Army widow at her husband's grave reminds us what Memorial Day is all about
Laureen Lopez-Berry's husband Richard was killed by a car bomb in Afghanistan in 2012.38k
How to play every classic video game on your phone
The best '80s and '90s consoles in the palm of your hand.18k
Indie game Catlateral Damage will satisfy your itch for feline destruction
Step into the life of the agent of chaos known as the housecat.
Tiny bear cubs have the world's cutest wrestling match
Can. Not. Handle. This.8