Windows 7: New Java Exploit Fetches $5,000 Per Buyer; Krebs on Security

Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.



On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.

The hacker forum admin’s message, portions of which are excerpted below, promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit I wrote about last week that rents for $10,000 per month.

Though the purported new zero-day exploit has yet to be officially confirmed, it's certainly plausible. First, per Krebs: "I don't have the exploit or the source code or anything. That said, this was a sales thread posted by an administrator of this exclusive crime forum. It would be somewhat rare and ill-advised for a person in such a position to try to scam forum members, especially for just $5k."

Second, a critique of the latest Java patch by the OpenJDK community found that "while Oracle's quick fix appears to have broken the exploit chain ... building another chain could be possible -- and may already have happened within the shadows of the black-hat cracker community."

Is it just me or does it seem like every sense Oracle bought Sun Micro Java it has been exploited with revenge.

Researchers from Security Explorations, a Poland-based vulnerability research firm, claim to have found two new vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software's security sandbox and execute arbitrary code on computers.

Oracle released Java 7 Update 11 last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware.

Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company's researchers, Adam Gowdiak, the company's founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.

According to Security Explorations' disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.