Only three days ago on Sunday, Oracle patched yet another major zero-day security flaw in Java. The company isn’t known for being keen on patching software vulnerabilities in its Java software and usually takes its time, but this one was so serious that they issued one very quickly and not according to any usual time schedule. In fact, the US Department of Homeland Security recommended that the software be disabled unless it was “absolutely necessary” to use it. Even after the patch was issued, the same advice was repeated on Monday by the department’s Computer Emergency Readiness Team (US-CERT).
This time however, an even worse zero-day flaw has been uncovered which very few people know about. This makes it much more dangerous, since the window of opportunity for exploitation is bigger. Security blogger Brian Krebs, discovered this new flaw by visiting an exclusive cybercrime forum where since Monday (Jan 14th) an exploit kit was being peddled by the site’s admin for a staggering $5,000 to two lucky buyers – who were even invited to outbid each other! This exploit is present in the latest version of Java (v7 update 11) and crucially, not in any previous exploit kit, thereby allowing the seller to command a high price for it. His sales pitch is quoted below and it appears that the site’s admin has since found a second buyer, because the thread has now been deleted.
The exploit kit works in the usual way through web browser vulnerabilities, exposed when Java is installed on the target’s computer. So, the advice remains to uninstall Java from your computer – no one should be under the illusion that their computer is safe with this security hole-riddled software on it.
New Java 0day, selling to 2 people, 5k$ per person
And you thought Java had epically failed when the last 0day came out.
I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.
Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.