The Inquirer-Home

Another Java exploit is on sale for $5,000

Criminals hit Java again just 24 hours after patch
Wed Jan 16 2013, 16:55
Security padlock image

ANOTHER EXPLOIT aimed at Oracle's Java software has appeared just days after the company rushed out a patch to fix a previous vulnerability.

The exploit was detected on Wednesday by Krebsonsecurity and reportedly takes advantage of another zero day vulnerability in Java.

"On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each," wrote Brian Krebs.

"The hacker forum admin's message promised weaponized and source code versions of the exploit. This seller also said his Java 0day - in the latest version of Java (Java 7 Update 11) - was not yet part of any exploit kits, including the Cool Exploit Kit."

If accurate, then the zero day vulnerability will be the second discovered this year. The first vulnerability was discovered after researchers spotted a ransomware Trojan known as Reveton targeting the flaw.

Unlike the alleged new attack, the original vulnerability was linked with the popular Blackhole and Cool exploit kits. The kits are infamous toolkits traded on the black market that enable cybercriminals to mount automated attacks.

The first attack led to widespread calls within the security industry for internet users to turn Java off.

The warnings reached near panic levels when the US Computer Emergency Response Team (CERT) again recommended that internet users shut the software down mere days after Oracle released its security update.

Despite the security fears some companies have noted that simply turning Java off might not be an option for large businesses.

Krebbs was quick to reiterate this sentiment, noting that Java web apps were never designed for use in consumer transactions.

"Much of the advice on how to lock down Java on consumer PCs simply doesn't scale in the enterprise, and vice-versa," wrote Krebbs.

"Oracle's unprecedented four-day turnaround on a patch for the last zero-day flaw notwithstanding, the company lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems.

"Oracle seems to be sending a message that it doesn't want hundreds of millions of consumer users; those users should listen and respond accordingly."

At the time of publishing Oracle had not responded to a request from The INQUIRER for comment on the reported new Java vulnerability. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015