Java zero-day exploit being sold for ‘five digits’

By Sooraj Shah
28 Nov 2012 View Comments
Java logo

A vulnerability in Oracle's Java software that attackers can use to remotely seize control of systems running the program is being sold for "five digits".

The security hole is being sold by an established member of an invite-only "underweb" forum, according to security specialist Brian Krebs.

Further reading

It targets an unpatched vulnerability in the most recent version of Java, Java JRE 7 Update 9, but does not affect Java 6 or earlier versions. The weakness is found within the Java class "MidiDevice.Info", a part of Java that handles audio input and output.

In a sales thread exposed by Krebs, the seller explained the exploit.

"Code execution is very reliable, worked on all 7 versions I tested with Firefox and Internet Explorer on Windows 7. I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly," he claimed.

The seller then went on to set the price at a vague "five digits".

Oracle may patch the problem soon if the company manages to locate the bug, but in the meantime Krebs has urged users who have no use for Java to remove it from their systems entirely.

Earlier this year, the Flashback Trojan exploited a vulnerability in Java to infect Apple users by installing itself on Macs. Apple had to release a security update for all Mac users who had Java installed, while security firms urged the users to update Java on a frequent basis.

Apple has since unplugged Java from the browser in OS X.

For the current issue, Krebs advises users who need to access websites that run on Java to use separate browsers – one for accessing Java-dependent websites and one to browse the web normally – until the problem has been fixed.

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

35 %
31 %
14 %
20 %