New Java Flaw Discovered, Selling for $5K on Black Web


Oh dear, oh dear. Oracle must think it’s experiencing a bad case of déjà vu right now – just days after it released a patch for a ‘serious’ vulnerability discovered in its Java software last week, news has emerged of yet another serious flaw that could threaten the security of millions of PCs around the world still running the application.

No doubt Oracle was hoping the negative publicity would finally die down following the furor over the last exploit, which the US Department of Homeland Security described as so serious that it recommended people disable the software altogether – advice that was repeated even after the patch was issued.

Now, security blogger Brian Krebs has thrown a new spanner in Oracle’s works, bringing to attention a post made by a known malware developer hawking a brand new Java vulnerability for the princely sum of $5,000.

“Unencrypted source files to the exploit,” the post advertises.

“Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm [private message] me.”

The seller was offering both weaponized and source code versions of the vulnerability, added Krebs

Of course, it’s not possible to verify if the exploit is genuine or not without a demonstration or seeing the source code, but Krebs did mention that the post was later removed, indicating that it was either fake, or that the exploit had already been sold. In any case, the incident is another telling illustration of just how risky Java can be.

“To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program,” warned Krebs in his post.

For most users, it’s probably far better to just disable Java in their web browser altogether. The risk with Java exploits is that they can be quickly built into browser exploit kits, which then lie in wait for unsuspecting victims on infected websites. Of course, not everyone has the luxury of disabling Java (some people need to use it) and for those, Krebs recommends using a two-browser approach – one for ‘normal’ browsing, and one that’s only used when Java applications are needed.

“A big part of the danger is that many users who have Java don’t even know they have it installed, nor can they recall why it was installed in the first place,” warns Krebs.

“What I’d like to see is an app or method — perhaps from Oracle? — that would help users determine when was the last time their computer used Java and for what purpose,” he adds.

“That, I think, might help a lot of people get off the fence and finally uninstall Java.”