Get your exploit here, get your exploit here! Only days after Oracle patched a critical hole in Java, a new vulnerability is being sold on the black market for $5,000 or the highest bidder.
A post popped up on a “hacker forum,” according to Krebs on Security, the day after Oracle released its fix for Java. The post, created by one of the forum’s administrators, boasted about a zero-day attack in Java that is not included in any exploit packs — or bundled tools to aid a person in hacking someone’s systems that are often sold on these underground markets. The advertisement has since been removed from the website, perhaps because someone already paid up the money. It read, in part:
“And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.”
The hacker did mention, however, that the exploit came with Java source code and that it is a “weaponized version.” Bids higher than $5,000 are, of course, accepted.
The most recent hold Java fixed allowed hackers to enter a computer by using compromised websites as the entry-point into Java. Once in the system, they could steal any information, or hook up the computer to a botnet — or a string of infected computers that can be used to launch attacks against other computers.
The Department of Homeland Security issued a message prior to the fix, urging people to disable Java until it was patched up. After the patch came, however, DHS was unconvinced and warned people that Java likely still had holes in it, and that people should keep Java disabled.