Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned.
The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions).
According to the vendor, the weakness resides within the Java class “MidiDevice.Info,” a component of Java that handles audio input and output. “Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,” the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. “I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.”
The seller was not terribly specific on the price he is asking for this exploit, but set the expected offer at “five digits.” The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground. In August, I wrote about a newly discovered Java exploit being folded into the BlackHole exploit kit, quoting the author of that crimeware tool as saying that “the price of such an exploit if it were sold privately would be about $100,000.”
I have repeatedly urged readers who have no use for Java to remove it from their systems entirely. This is a very complex program that is widely installed (Oracle claims that some 3 billion devices run Java), and those two qualities make it a favorite target for attackers. What’s more, Java is a cross-platform technology, meaning that applications written to run in Java can run seamlessly across multiple operating systems. Indeed, some 650,000 Mac users discovered this the hard way earlier this year, when the Flashback worm took advantage of an unpatched vulnerability that was present in Apple’s version of Java.
Apple has since taken steps to unplug Java from the browser in OS X, and this is the very approach I’ve recommended for users who need Java for specific Web sites or applications (see: How to Unplug Java from the Browser). If you need Java for specific Web sites, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.