New Java exploit put up for sale

Tools

Security administrators and IT managers probably know about the latest zero-day Java vulnerability that was widely reported on last week, as well as the subsequent patch released by Oracle (NASDAQ: ORCL) that resolved one critical flaw and tweaked security permissions to make the other one harder to exploit. The dust has barely settled though, and already there appears to be a new Java exploit being put up for sale.

This was first reported by cybersecurity blogger Brian Krebs, who spotted it advertised at a cybercrime forum with a starting price of $5,000. "I will accepting counter bids if you wish to outbid the competition," writes the hacker peddling what he says is a unique Java exploit that will only be sold twice. According to him, the successful bidder will be given the unencrypted source files to the exploit, as well as the "encrypted, weaponized version."

Bearing in mind Oracle's track record of being slow to patch security vulnerabilities, it is no wonder that the United States Department of Homeland Security is now advising computer users to disable Java on their web browsers for now.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," notes the DHS in an alert published on the CERT site here. "As with any software, unnecessary features should be disabled or removed as appropriate for your environment."

For more:
- check out this blog at KrebsOnSecurity

Related Articles:
Yet another Java flaw surfaces
Java 7 update offers more security options
Oracle patches serious vulnerability in Java 7