Skip Links

Day after patch, Java zero-day sold to highest bidders

With exploit sold for $5,000 via cybercrime forum, experts double down on calls for consumers to uninstall the software

By Taylor Armerding, CSO
January 17, 2013 07:41 AM ET

CSO - Less than a day after Oracle issued a patch for a vulnerability in its Java browser plug-in software that was allowing attackers to get control of Windows PCs, yet another zero-day exploit for an unpatched Java security hole was being marketed on the Underweb.

Oracle releases emergency patch

Brian Krebs, author of the KrebsonSecurity blog, reported on Wednesday that on Monday "an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each."

Krebs posted a portion of the message, which said the buyers would get, "unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt... they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me."

That message had been deleted by Wednesday, which likely meant the seller had found another buyer, Krebs said. "[That] should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program," he wrote.

"Java is fundamentally broken because it is built upon a broken promise: That it runs in a protected sandbox which somehow protects the user," Krebs told CSO Online on Wednesday.

Sunday's patch was an effort to quiet a firestorm of criticism and calls not only from a majority of security experts but even the Department of Homeland Security (DHS) for consumers to disable Java on their PCs.

This latest report intensified some of those calls, but also a bit of pushback, although not in the form of any major defense of Oracle. Simon Crosby, cofounder and CTO of Bromium, argued in a blog post on Tuesday that banning or disabling Java would not solve the problem. "Humans develop buggy code -- in all languages -- and though the more modern ones are harder to exploit, they can all be subverted," he wrote. "Moreover, many users (and businesses) depend on Java ... banning it would severely impact my ability to work."

Crosby wrote that "micro-virtualization" can solve the problem with Java and other insecure applications with "hardware isolation to enforce 'need to know' on a per-task basis on the endpoint."  

[See related: Java vulnerabilities increasingly targeted by attackers, researchers say]

That would be a longer term solution, he said. "It guarantees that when the next zero-day comes along, the attacker cannot steal any information or gain access to the corporate network."

Isolation was, of course, a recommendation Krebs also made. And while acknowledging that Java could be necessary on some sites, he notes: "Most users can -- and should -- get by without it."

Krebs and others have been saying for some time that Oracle doesn't really want millions of consumer users anyway. "Oracle is an enterprise software company that -- through its acquisition of Sun Microsystems in 2010 -- suddenly found itself on hundreds of millions of consumer systems," he wrote.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News