Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

New Java exploiton sale for $5000

Previously unpublicised flaw in Java threatens security of millions of PCs

Article comments

Just days after it released a patch for a serious security flaw discovered last week in its Java programming language, the software is making headlines again because another previously unpublicised flaw in the program threatens the security of millions of PCs that may still have the application running on it.

Oracle released a fix Sunday for a Java flaw so serious that the U.S. Department of Homeland Security recommended that computer users disable the software unless using it was "absolutely necessary."

That advice was repeated Monday by the department's Computer Emergency Readiness Team (US-CERT) even after the patch was made available to users.

Vulnerablity for sale

Now it's being reported that an enterprising Black Hat is peddling a new Zero Day vulnerability for the latest version of Java (version 7, update 11) to up to two buyers for $5000 each.

Both weaponised and source code versions of the vulnerability were being offered by the seller, according to security blogger Brian Krebs, who discovered the offer on an exclusive cybercrime forum.

Since Krebs discovered the offer, he said, it has been removed from the crime forum, suggesting the seller found his buyers for the exploit.

"To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program," Krebs wrote.

This latest Java exploit is worse than the last one because no one knows what it is, according to Bogdan Botezatu, senior e-threat analyst with anti-virus software maker Bitdefender.

In the flaw patched Sunday, he explained, the exploit code was identified by security researchers in some popular malware kits. With the latest flaw, it's only known to the seller.

"The current method of exploitation will likely remain unknown for a bigger timeframe, which will also increase the attackers' windows of opportunity," Botezatu said in an email.

Earlier this week, Botezatu noted in a blog that despite the patch pushed by Oracle on Sunday, cyber criminals continued to exploit the vulnerability on unpatched machines to install ransomware on them.

Oracle's security moves

In addition to addressing the Zero Day vulnerability in Sunday's patch, Oracle also boosted Java's security setting to "high" by default. "That means that right now the user has to authorise the execution of Java applets that are not signed with a valid certificate," explained Jaimie Blasco, manager of AlienVault Labs, in an email.

While that move is a great step toward making Java more secure on a browser, Blasco noted, it is far from a panacea for Java's problems.

"In the past, we have seen that the attackers were able to steal a valid certificate to sign malicious code so it won't surprise me if we see this technique being used," he said.

Because Java appears to be riddled with vulnerabilities, Bitdefender's Botezatu recommends Oracle identify the core components of the software and rewrite it from scratch.

No doubt, more than a little rewriting of the software will be done when Oracle releases the next version of Java scheduled for September.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *