New Java exploit sells for $5000 on black web; possible threat to millions of PCs

Another previously unpublicized flaw in Java threatens the security of millions of PCs that may still have the application running on it.

By John P. Mello Jr., PC World |  Security, java, Java exploit

For Oracle, it's deja vu all over again.

Just days after it released a patch for a serious security flaw discovered last week in its Java programming language, the software is making headlines again because another previously unpublicized flaw in the program threatens the security of millions of PCs that may still have the application running on it.

Oracle released a fix Sunday for a Java flaw so serious that the U.S. Department of Homeland Security recommended that computer users disable the software unless using it was "absolutely necessary."

That advice was repeated Monday by the department's Computer Emergency Readiness Team (US-CERT) even after the patch was made available to users.

Vulnerablity for sale

Now it's being reported that an enterprising Black Hat is peddling a new Zero Day vulnerability for the latest version of Java (version 7, update 11) to up to two buyers for $5000 each.

Both weaponized and source code versions of the vulnerability were being offered by the seller, according to security blogger Brian Krebs, who discovered the offer on an exclusive cybercrime forum.

Since Krebs discovered the offer, he said, it has been removed from the crime forum, suggesting the seller found his buyers for the exploit.

"To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program," Krebs wrote.

This latest Java exploit is worse than the last one because no one knows what it is, according to Bogdan Botezatu, senior e-threat analyst with anti-virus software maker Bitdefender.

In the flaw patched Sunday, he explained, the exploit code was identified by security researchers in some popular malware kits. With the latest flaw, it's only known to the seller.

"The current method of exploitation will likely remain unknown for a bigger timeframe, which will also increase the attackers' windows of opportunity," Botezatu said in an email.

Earlier this week, Botezatu noted in a blog that despite the patch pushed by Oracle on Sunday, cyber criminals continued to exploit the vulnerability on unpatched machines to install ransomware on them.

Oracle's security moves

Originally published on PC World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question