Just days after patching the zero-day vulnerability in Java, Oracle is facing another known exploit with an underground price tag of $5,000.
According to security blogger Brian Krebs, an administrator of an exclusive cyber crime forum has posted a message saying he was selling a new Java zero-day to two buyers at $5,000 each. Krebs said: “The hacker forum admin's message promised weaponised and source code versions of the exploit. This seller also said his Java zero-day, in the latest version of Java (Java 7 Update 11), was not yet part of any exploit kits.”
The seller said at the time of posting that they had sold the first exploit, and Krebs said that the thread had since been deleted so he assumed that the seller must have found a second buyer for the exploit.
“To my mind, this should dispel any illusions that people may harbour about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program. I should note that this same thing happened not long after Oracle released a Java update in October; a few weeks later, a Java zero-day was being sold to a few private users on this same Underweb forum,” he said.
Paul Ducklin, head of technology for Sophos Asia Pacific, said: “The value the seller is placing on this exploit sounds a bit low to me: he's expecting total earnings of just $10,000 for a reliable, working and current Java zero-day.
“I don't mean to sound as though I think cyber criminality is glib and workaday. I'd simply have thought that he could have asked and got more. There are many possible reasons for that value, not least that I'm ill-informed about competitive pricing in the underground, and two interesting ones spring to mind: there isn't a new exploit; or it's not a very good one and it's just a wind-up.
“The widespread news coverage recommending that you turn off Java is pushing down the price. Let's hope that the reason is the latter.”
Oracle released the security update for the zero-day flaw in Java over the weekend, with a rating of 'high'. Ross Barrett, senior manager of security engineering at Rapid7, said: “This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately.
“This fix changes the default Java browser security settings to require user consent to execute Java applets that are not digitally signed, or are self-signed, which indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the next time a Java vulnerability is exploited in the wild.”