As we wrote on Tuesday, at least one of two major security vulnerabilities in Java—which is installed on an estimated 850 million PCs worldwide—was not all fixed by Oracle’s subsequent update.
Now, Brian Krebs of Krebs on Security has discovered an exploit for one of those two zero-day vulnerabilities—which hackers can use to take over any machine with Java installed in its browser—for sale on a shady Internet forum specializing in illegal hacking.
“On Monday,” Krebs wrote, “an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.”
The post read, in part:
“And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.”
The exploits sold out quickly.
Paul Pajares, of Internet security firm Trend Micro, wrote on the company’s blog that they were made aware of malware disguised as Java Update 11. Although this malware does not exploit any Java vulnerability, it is clearly employing fear of that issue to snare the unaware.
Krebs believes the delivery vector itself, Java, is inherently unsafe to use on an “end-user PC” without isolating the program.
“I feel strongly,” he wrote, “that Oracle is an enterprise software company that.. suddenly found itself on hundreds of millions of consumer systems. Much of the advice on how to lock down Java on consumer PCs simply doesn’t scale in the enterprise.”
Ars Technica noted that a number of security companies believe Oracle is guilty of rushing out incomplete fixes to its vulnerabilities.
“Oracle seems to be sending a message that it doesn’t want hundreds of millions of consumer users,” wrote Krebs. “Those users should listen and respond accordingly.”
Photo by Sean Mulgrew/Flickr