Three days ago on Sunday, Oracle patched yet another major zero-day security flaw in Java. The company isn”t known for being keen on patching software vulnerabilities in its Java software and usually takes its time, but this one was so serious that they issued one very quickly and not according to any usual time schedule. In fact, the US Department of Homeland Security recommended that the software be disabled unless it was “absolutely necessary” to use it. Even after the patch was issued, the same advice was repeated on Monday by the department”s Computer Emergency Readiness Team (US-CERT).
This time however, an even worse zero-day flaw has been uncovered which very few people know about. This makes it much more dangerous, since the window of opportunity for exploitation is bigger. Security blogger Brian Krebs, by visiting an exclusive cybercrime forum where since Monday (Jan 14th) an exploit kit was being peddled by the site”s admin for a staggering $5,000 to two lucky buyers – who were even invited to outbid each other! This exploit is present in the latest version of Java (v7 update 11) and crucially, not in any previous exploit kit, thereby allowing the seller to command a high price for it. His sales pitch is quoted below and it appears that the site”s admin has since found a second buyer, because the thread has now been deleted.
The exploit kit works in the usual way through web browser vulnerabilities, exposed when Java is installed on the target”s computer. So, the advice remains to uninstall Java from your computer – no one should be under the illusion that their computer is safe with this security hole-riddled software on it.