New zero-day Java exploit selling in online forum for $5,000

By on January 16, 2013, 1:00 PM

Earlier this week Oracle rushed out a fix for a critical bug in Java that was reportedly being widely exploited by malicious sites to remotely execute code on a victim’s machine. Well, it only took one day after the patch arrived for a different and apparently still-unpatched zero-day vulnerability to start circulating online.

According to a report on KrebsOnSecurity, a fully "weaponized" executable that exploits the bug was being advertised for $5,000 a piece in an underground Internet forum. The price included a ready to use encrypted version of the exploit as well as the source-code so that it could be folded into other types of attacks.

The poster was looking for two buyers and said the exploit had already been sold to one other person. According to him, the attack is not yet part of any exploit kits, including the Cool Exploit Kit, which rents for $10,000 per month.

We've yet to hear of this latest vulnerability being exploited in the wild, and security blogger Brian Krebs admits he hasn't been able to verify the exploit exists. That said, he also notes the sales thread was posted by an administrator of an "exclusive crime forum" who is unlikely to be trying to scam forum members for $5K.

If you're not willing to take the risk your best bet is to disable the Java browser plugin. In fact, unless you absolutely need to run Java for certain browser based applications, you should probably disable the plug-in even if you've patched to the latest version. The vast majority of websites will continue to run just fine.




User Comments: 3

Got something to say? Post a comment
hahahanoobs hahahanoobs said:

Chrome disable instructions:

Step 1: Open Chrome and type chrome://plugins into the location bar.

Step 2: Click Disable underneath the Java plugin.

David T. David T. said:

You can also disable Java in Chrome but make exceptions so you can still view YouTube correctly. chrome://settings, select Show Advanced Settings, Under Privacy select Content Settings, select "Do not allow any site to run java script " then select right under it: Manage exceptions, add in the trust sites while blocking the un trusted sites.

Darth Shiv Darth Shiv said:

@David Java is NOT java script . YouTube doesn't need java to run.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.