Security Advisor

Java Zero-Day Exploit Being Sold on Black Market

The Oracle flaw is being shopped online by an unknown source.

Starting to stress on what to get that special someone this holiday season? Got five figures to blow on a present? How about buying a one-of-a-kind Java exploit?

According to researchers at Krebs on Security, an issue in the latest version of Java is being shopped around on the cyber black market by an unknown seller. Here's what you could be driving home with if you are the lucky winner:

"According to the vendor, the weakness resides within the Java class 'MidiDevice.Info,' a component of Java that handles audio input and output, said Krebs on Security's Kevin Mitnick, who has been in contact with the mystery seller. "'Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,' the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. 'I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.'"

While an exact price was not given, the user told Mitnick that he was looking for an offer of "five digits."

I'm not quite sure the going rate for a zero-day exploit that could do quite a bit of damage on unpatched machines, but with the frequency of Java flaws, the asking price seems a bit steep.

Mitnick took the opportunity to remind users of a precautionary action that seems to be prescribed more and more by security experts: just dump Java.

"I have repeatedly urged readers who have no use for Java to remove it from their systems entirely," said Mitnick. "This is a very complex  program that is widely installed (Oracle claims that some 3 billion devices run Java), and those two qualities make it a favorite target for attackers."

While it may not be practical to completely remove Java from every machine that's under your IT watch, have you made any moves to do away with the Oracle in your enterprise? Share your thoughts in the comments below.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.