November 26, 2014

Another zero-day Java exploit for sale on Internet

Java(LiveHacking.Com) –  Less than a day after Oracle patched the zero-day vulnerability in Java 7, security journalist Brian Krebs has discovered that a new Java zero-day exploit is now available to purchase, in a crimeware and malware Internet forum, for US$5,000 per sale.

At the beginning of this week, an administrator of an exclusive cybercrime forum revealed that he is offering exploit code for a new zero-day vulnerability in Java, but he is only willing to sell it twice.

The seller was offering source files to the exploit plus an encrypted, weaponized version, ready for use. Since spotting the forum post, Krebs has noticed that the thread has since been deleted from the forum. This most likely means that buyers were found.

“To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program,” wrote Krebs.

The current frequency of Java exploit has led many to declare Java unsafe. Even after the latest update for Java 7, Adam Gowdiak, the founder and CEO of Security Explorations – who has found several critical vulnerabilities in Java, said that “We don’t dare to tell users that it’s safe to enable Java again.”

This was a sentiment echoed by HD Moore, chief security officer with Rapid7 – the custodians of Metasploit, “The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop.”

It looks like Gowdiak and Moore are right!

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks