New Java Security Flaw Uncovered, Exploit on Sale for $5,000

Only days after the last security flaw was patched by Oracle, a fresh zero-day vulnerability has been found and put up for sale for $5,000.

Java, or the Perpetual Vulnerability Machine as one security expert has dubbed it, is one of the most exploited piece of software by cyber-criminals, leading to a range of experts warning users to disable the browser version of the software "unless absolutely necessary."

On Sunday, Java's owner, Oracle, rushed out an emergency fix for a vulnerability which was being actively exploited by cyber-criminals but it appears that was simply plugging one hole for another to appear almost instantaneously.

Security expert Brian Krebs has discovered that another zero-day vulnerability has been discovered and that an exploit taking advantage of the security flaw was already on sale. Krebs made the discovery on an exclusive cybercrime forum where an administrator posted a message saying he was willing to sell the exploit to just two lucky buyers, with the price starting at $5,000.

A section of the message read:

"New Java 0day, selling to 2 people, 5k$ per person. There is yet another vulnerability in the latest version of Java 7. I will not go into any details except with seriously interested buyers."

The forum member also said the exploit was not included in any of the other exploit kits available on the market today. Exploit kits, such as Blackhole, are made to automate the exploitation of computers via web browser vulnerabilities and sell for up to $10,000-a-month.

Since the message was posted it has been removed from the forum indicating that the sale has been completed.

Warning

Krebs warned: "To my mind, this should dispel any illusions that people may harbour about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program."

While Krebs admits that he cannot confirm if the exploit actually exists, he says it would be "rare and ill-advised" for an administrator of such a forum to scam fellow members, especially for just $5,000.

Oracle has been heavily criticised in the past for failing to react quickly enough to security problems with the Java software, and despite last week's quick patch, the problems facing Oracle are enormous.

Earlier this week, HD Moore, chief security officer with online security company Rapid7, told Reuters it could take two years for Oracle to fix all the security bugs already identified in the Java used in web browsers. "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop."

Whether through desktop apps or installed as a browser plug-in, Java is on hundreds of millions of PCs around the world, and unless Oracle changes the way it approaches the security of the software, things could begin to get out of hand, very quickly.