Java Zero-Day Exploit Being Sold on Black Market
The Oracle flaw is being shopped online by an unknown source.
Starting to stress on what to get that special someone this holiday season? Got five figures to blow on a present? How about buying a one-of-a-kind Java exploit?
According to researchers at Krebs on Security, an issue in the latest version of Java is being shopped around on the cyber black market by an unknown seller. Here's what you could be driving home with if you are the lucky winner:
"According to the vendor, the weakness resides within the Java class 'MidiDevice.Info,' a component of Java that handles audio input and output, said Krebs on Security's Kevin Mitnick, who has been in contact with the mystery seller. "'Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,' the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. 'I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.'"
While an exact price was not given, the user told Mitnick that he was looking for an offer of "five digits."
I'm not quite sure the going rate for a zero-day exploit that could do quite a bit of damage on unpatched machines, but with the frequency of Java flaws, the asking price seems a bit steep.
Mitnick took the opportunity to remind users of a precautionary action that seems to be prescribed more and more by security experts: just dump Java.
"I have repeatedly urged readers who have no use for Java to remove it from their systems entirely," said Mitnick. "This is a very complex program that is widely installed (Oracle claims that some 3 billion devices run Java), and those two qualities make it a favorite target for attackers."
While it may not be practical to completely remove Java from every machine that's under your IT watch, have you made any moves to do away with the Oracle in your enterprise? Share your thoughts in the comments below.