According to security blogger Brian Krebs, the exploit is previously undocumented and is currently being sold by an established member of an invite-only Underweb forum. He said that the flaw targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java.
According to the ‘seller', the weakness resides within the Java class ‘MidiDevice.Info', a component of Java that handles audio input and output.
“Code execution is very reliable, worked on all seven versions I tested with Firefox and MSIE on Windows 7,” the seller explained in a sales thread on his exploit. It is not clear whether Chrome is also affected. “I will only sell this one time and I leave no guarantee that it will not be patched so use it quickly.”
Asked for a price for the exploit, he said that he was setting the expected offer at ‘five digits'.
Krebs said: “The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground. In August, I wrote about a newly discovered Java exploit being folded into the BlackHole exploit kit, quoting the author of that crimeware tool as saying that ‘the price of such an exploit if it were sold privately would be about $100,000'.”
Oracle claims that three billion devices run Java across different platforms, meaning that applications written to run in Java can run seamlessly across multiple operating systems. This impacted some 650,000 Mac users earlier this year, when the Flashback worm took advantage of an unpatched vulnerability that was present in Apple's version of Java.