$5000 Buys New Java Zero-Day Exploit
January 16, 2013

New, Unlatched Java Exploit On Sale For $5,000

Michael Harper for redOrbit.com — Your Universe Online

Not even 24 hours after Oracle released a fix for the latest in a string of Java exploits, cyber criminals are already reportedly selling a completely different zero-day Java exploit. The most recent fix for Java 7 was meant to patch a security hole that had become so well known, exploits were being packaged and sold in cybercrime “toolkits.”

According to Krebs on Security, one cyber criminal in the “Underweb” is selling this new Java vulnerability for as much as $5,000. The seller is reportedly an administrator of a hacking forum and has posted a few details about this new zero-day exploit in order to attract potential buyers.

A post entitled “New Java 0day, selling to 2 people, 5k$ per person,” reads:

“And you thought Java had epically failed when the last 0day came out. I lol´d. The best part is even-though java has failed once again and let users get compromised“¦ guess what? I think you know what I´m going to say“¦ there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.”

According to the hacker, the code has already been sold once and will not be a part of the Blackhole toolkit. The previous exploits were said to ship with these toolkits.

“I will [be] accepting counter bids if you wish to outbid the competition,” continues the forum administrator.

“What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt“¦ they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set.”

According to Krebs on Security, this post has since been deleted, meaning the hacker may have already found a second buyer.

Java is quickly becoming synonymous with buggy and dangerous software, as new patches are quickly circumvented and new exploits are often sold to private users. These multiple exploits have led many security professionals to suggest users disable Java or uninstall it from their machines altogether. Last week, the US Department of Homeland Security issued a report about this terrible software, warning users about the spread of this exploit and it´s widespread availability via multiple hacking toolkits.

As it turns out, a warning from the federal government is all it takes to get Oracle to turn out a quick security patch for Java.

Even as the fix was released, one security lab claimed the patch was incomplete and didn´t completely resolve the zero-day exploit issues.

“With this incident, the biggest question on everyone´s mind is “Are users safe after installing the patch?” or “Does the patch protect from recent attacks using CVE-2013-0422?” asks Pawan Kinger on the Security Intelligence blog at TrendLabs.

“Yes, but only until someone finds another bug to couple with the first issue.”

In the end, it seems like the safest bet is to stay as far away from Java as possible.