I was just guessing on Monday when I said that the Java security patch pushed by Oracle on Sunday was “too little too late.” This appears to have been a lucky good guess on my part, as word is out now that the Java browser plugin still isn’t safe.
At least that’s what Brian Krebs is reporting on his blog Krebs On Security. Evidently there’s a black hat on a hacker forum who’s offering-up info to two buyers on a new vulnerability in the latest and greatest version of Java (that would be version 7, update 11) for the sum of $5,000 each.
Krebs published a piece of the hackers sales pitch, which is an interesting look at the underbelly of the Internet for those of us who don’t ever go there:
“…The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.”
The black hat goes on to say he’s already found one buyer and he’s looking for a second, then explains what the 5K buys:
“…What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. …”
The second buyer has already been found, Krebs assumes, as the reported thread has already been deleted from the forum.
There’s no word on what can be accomplished using this exploit, or if this exploit even exists, but why take chances? As I wrote on Monday, most people don’t need Java to surf the web. You’re better off without it. Even when it’s fully patched with no known exploits, that just means you’re waiting for the next exploit to be discovered.
The Internet is insecure enough already as it is without adding another layer of insecurity.