Java Patch Didn't Fix Everything, New Exploit On Sale For $5,000

IT Management

Share this Post

Microsoft and Oracle both released patches this week for zero-day exploits found in Internet Explorer 8 and Java. If you still use Internet Explorer 8 or below, you should probably download the fix available via Windows Update. As for Java, you should probably still keep that disabled.

Krebs on Security reports that a hacker has already found a hole in the Java fix that Oracle uploaded this week. This particular hacker relayed the news to others on a private Web forum, and began looking for buyers. Here's the sales pitch:

New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.

What's worrisome is that the thread is reportedly gone as of today which means that the exploit has been sold to two people already. That means we could be seeing another potentially dangerous zero-day attack on Java in the near future.

Oracle can't predict the future, and its engineers obviously can't predict what exploits are going to be found in its software. Hackers will always be one step ahead of software developers. All Oracle can do is remain vigilant and quickly put out a fix whenever a new exploit is found. Java's presence on over 1 billion PCs must put a ton of pressure on the company, but hopefully it can push out fixes just as quickly as the last one.

And next time, maybe check the fix to make sure there aren't any security holes left in it.

[h/t: Ars Technica]