Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.
Update, Apr. 2, 2:57 p.m. ET: This sales thread turned out to be an elaborate hoax designed by a cybercrime forum administrator to learn the screen name I was using to browse exclusive sections of his forum. See this story for more information on that.
On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.
The hacker forum admin’s message, portions of which are excerpted below, promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit I wrote about last week that rents for $10,000 per month. From his sales pitch:
“New Java 0day, selling to 2 people, 5k$ per person
And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.
Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.”
The seller must have found a second buyer for the exploit, because the thread has since been deleted from the crime forum. To my mind, this should disspel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program. I should note that this same thing happened not long after Oracle released a Java update in October; a few weeks later, a Java 0day was being sold to a few private users on this same Underweb forum.
Yes, there are still sites that require Java, but most users can — and should — get by without it. For tips on how to keep Java without exposing your computer to a constant stream of zero-day exploits, see my Java Q&A from this past weekend.
I got into a bit of a Twitter fight yesterday with several readers on this point, but I feel strongly that Oracle is an enterprise software company that — through its acquisition of Sun Microsystems in 2010 — suddenly found itself on hundreds of millions of consumer systems. Much of the advice on how to lock down Java on consumer PCs simply doesn’t scale in the enterprise, and vice-versa. Oracle’s unprecedented four-day turnaround on a patch for the last zero-day flaw notwithstanding, the company lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems. Oracle seems to be sending a message that it doesn’t want hundreds of millions of consumer users; those users should listen and respond accordingly.