Earlier this week Oracle rushed out a fix for a critical bug in Java that was reportedly being widely exploited by malicious sites to remotely execute code on a victim’s machine. Well, it only took one day after the patch arrived for a different and apparently still-unpatched zero-day vulnerability to start circulating online.
According to a report on KrebsOnSecurity, a fully "weaponized" executable that exploits the bug was being advertised for $5,000 a piece in an underground Internet forum. The price included a ready to use encrypted version of the exploit as well as the source-code so that it could be folded into other types of attacks.
The poster was looking for two buyers and said the exploit had already been sold to one other person. According to him, the attack is not yet part of any exploit kits, including the Cool Exploit Kit, which rents for $10,000 per month.
We've yet to hear of this latest vulnerability being exploited in the wild, and security blogger Brian Krebs admits he hasn't been able to verify the exploit exists. That said, he also notes the sales thread was posted by an administrator of an "exclusive crime forum" who is unlikely to be trying to scam forum members for $5K.
If you're not willing to take the risk your best bet is to disable the Java browser plugin. In fact, unless you absolutely need to run Java for certain browser based applications, you should probably disable the plug-in even if you've patched to the latest version. The vast majority of websites will continue to run just fine.