Java zero-day exploit being sold for ‘five digits’

A vulnerability in Oracle's Java software that attackers can use to remotely seize control of systems running the program is being sold for "five digits".

The security hole is being sold by an established member of an invite-only "underweb" forum, according to security specialist Brian Krebs.

It targets an unpatched vulnerability in the most recent version of Java, Java JRE 7 Update 9, but does not affect Java 6 or earlier versions. The weakness is found within the Java class "MidiDevice.Info", a part of Java that handles audio input and output.

In a sales thread exposed by Krebs, the seller explained the exploit.

"Code execution is very reliable, worked on all 7 versions I tested with Firefox and Internet Explorer on Windows 7. I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly," he claimed.

The seller then went on to set the price at a vague "five digits".

Oracle may patch the problem soon if the company manages to locate the bug, but in the meantime Krebs has urged users who have no use for Java to remove it from their systems entirely.

Earlier this year, the Flashback Trojan exploited a vulnerability in Java to infect Apple users by installing itself on Macs. Apple had to release a security update for all Mac users who had Java installed, while security firms urged the users to update Java on a frequent basis.

Apple has since unplugged Java from the browser in OS X.

For the current issue, Krebs advises users who need to access websites that run on Java to use separate browsers – one for accessing Java-dependent websites and one to browse the web normally – until the problem has been fixed.