Yet another Java hole
Fresh exploit on sale less than 24 hours after Oracle patches two critical gaps
A vulnerability cracker announced the sale of a new zero-day Java hole exploit less than 24 hours after Oracle Corp released the latest version of the platform on Sunday, which plugged two critical gaps in the runtime library.
The seller, claiming the new malware is not included in any currently available exploit kit, put a price tag of $5000 on the supply of both a weaponised and source-code version, plus support via personal messaging. They quickly claimed to have a buyer already and promised to sell to just one more.
In limiting the circulation of the exploit the seller would theoretically extend its shelf life, but in an unregulated industry such as the malware underworld there would be no way of preventing sell-on by the purchaser.
Brian Krebs, the security journalist who first broke the story, reported on Wednesday that the sales announcement thread had been deleted from the hacking forum where it was originally posted, suggesting a second buyer has come forward.
Oracle has been plagued with vulnerabilities in Java, which it inherited when it acquired the platform's creator Sun Microsystems Inc in January 2010 for $7.4bn. Security experts throughout the industry have repeatedly urged users to disable Java runtime, which may explain why the asking price for the latest exploit was so low.