Security Advisor

Java Zero-Day Exploit Being Sold on Black Market

The Oracle flaw is being shopped online by an unknown source.

Starting to stress on what to get that special someone this holiday season? Got five figures to blow on a present? How about buying a one-of-a-kind Java exploit?

According to researchers at Krebs on Security, an issue in the latest version of Java is being shopped around on the cyber black market by an unknown seller. Here's what you could be driving home with if you are the lucky winner:

"According to the vendor, the weakness resides within the Java class 'MidiDevice.Info,' a component of Java that handles audio input and output, said Krebs on Security's Kevin Mitnick, who has been in contact with the mystery seller. "'Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,' the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. 'I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.'"

While an exact price was not given, the user told Mitnick that he was looking for an offer of "five digits."

I'm not quite sure the going rate for a zero-day exploit that could do quite a bit of damage on unpatched machines, but with the frequency of Java flaws, the asking price seems a bit steep.

Mitnick took the opportunity to remind users of a precautionary action that seems to be prescribed more and more by security experts: just dump Java.

"I have repeatedly urged readers who have no use for Java to remove it from their systems entirely," said Mitnick. "This is a very complex  program that is widely installed (Oracle claims that some 3 billion devices run Java), and those two qualities make it a favorite target for attackers."

While it may not be practical to completely remove Java from every machine that's under your IT watch, have you made any moves to do away with the Oracle in your enterprise? Share your thoughts in the comments below.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

comments powered by Disqus

Reader Comments:

Fri, Nov 30, 2012

I know a lot a lot of admins who would be happy to give him a five digit offer, even two... spelled FIST which he truly deserves

Thu, Nov 29, 2012

Hmmm... a Microsoft mag is suggesting that Java be removed. What a surprise.

Thu, Nov 29, 2012

I have never liked Java from day one however removing it is out of the question. Too many applications are written in Java. We need a more secure Java, a Java alternative or new applications not written in Java.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.