Security Advisor

Java Zero-Day Exploit Being Sold on Black Market

The Oracle flaw is being shopped online by an unknown source.

Starting to stress on what to get that special someone this holiday season? Got five figures to blow on a present? How about buying a one-of-a-kind Java exploit?

According to researchers at Krebs on Security, an issue in the latest version of Java is being shopped around on the cyber black market by an unknown seller. Here's what you could be driving home with if you are the lucky winner:

"According to the vendor, the weakness resides within the Java class 'MidiDevice.Info,' a component of Java that handles audio input and output, said Krebs on Security's Kevin Mitnick, who has been in contact with the mystery seller. "'Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,' the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. 'I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.'"

While an exact price was not given, the user told Mitnick that he was looking for an offer of "five digits."

I'm not quite sure the going rate for a zero-day exploit that could do quite a bit of damage on unpatched machines, but with the frequency of Java flaws, the asking price seems a bit steep.

Mitnick took the opportunity to remind users of a precautionary action that seems to be prescribed more and more by security experts: just dump Java.

"I have repeatedly urged readers who have no use for Java to remove it from their systems entirely," said Mitnick. "This is a very complex  program that is widely installed (Oracle claims that some 3 billion devices run Java), and those two qualities make it a favorite target for attackers."

While it may not be practical to completely remove Java from every machine that's under your IT watch, have you made any moves to do away with the Oracle in your enterprise? Share your thoughts in the comments below.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Dynamics 365: Why It May Not Be What You Think

    For starters, the cloud-based CRM/ERP software has some surprising integrations with PowerApps, Microsoft's low-code developer environment.

  • Microsoft 365 Insider Test Program Emerges for Organizations

    Microsoft has started a new Microsoft 365 Insider Program for organizations to test its software, but the program's name and scope could be changing.

  • IT Pros: Don't Forget To Protect Your Personal Security

    Don't be the IT pro who spends way too many hours each day keeping their users secure only to neglect their own home networks. Brien describes the two steps he took to avoid this trap.

  • Microsoft Edge Browser Shifting to Open Source Chromium Platform

    Microsoft plans to align its Microsoft Edge browser production efforts with the open source Chromium Web platform for the desktop version of the browser, the company announced on Thursday.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.