No One Can Afford an Attack - Find the best Cybersecurity Pros to Protect Your Business Data
Welcome Guest | Sign In

2 Buyers Shell Out $5K for Java Exploit

By Richard Adhikari
Jan 17, 2013 8:43 AM PT

An entrepreneurial hacker has found an exploit for a new zero-day vulnerability in Java and has sold it to at least two buyers at US$5,000 a pop, KrebsOnSecurity reports.

2 Buyers Shell Out $5K for Java Exploit

News of the latest vulnerability follows on from a critical bug that emerged last week for which Oracle rushed out a fix over the weekend. The new zero-day exists in the patch Oracle rushed out, Java 7 Update 11, the seller claimed.

Will the Real Cyber Shady Please Stand Up?

There's a burgeoning trade in finding and selling exploits. However, the sellers aren't all cybercriminals; some legitimate companies sell exploits to governments and law enforcement agencies around the world. Sales are unregulated.

One such company is Netragard, whose customers apparently include organizations in both the public and private sectors. Another is Vupen, which offers "exclusive and extremely sophisticated exploits for offensive security."

This latest Java zero-day exploit is attracting attention because "the very high degree of attention given to this issue and Java security in general is making it propitious for hackers to offer such [exploits] quickly for sale," Al Hilwa, research program director at IDC, told TechNewsWorld. "The value of their code is presumably highest before the patch is issued."

Shutting Off Java No Snap

The U.S. Computer Emergency Readiness Team on Monday urged users to disable Java even after applying Oracle's fix for the vulnerability discovered last week.

However, it may be difficult to determine which users can turn off Java in their browsers entirely without impacting legacy business applications that use Java applets, Andy Chou, chief technology officer at Coverity, warned.

Further, disabling a browser Java plugin doesn't affect the ability to execute local Java applications on a PC, Trustwave SpiderLabs said. Installing the Java Runtime Environment lets users execute Java apps locally.

Also, "There's a ton of Java applications out there that live on the server side that are not affected by recent vulnerabilities in the Java browser plugin," Chou pointed out. It will be costly to remove Java from server-side applications "as the code would have to be rewritten, and the issues we've seen are really unrelated to this way of using Java."

The US-CERT did not respond to our request to comment for this story.

The Impact on Organizations

The impact on enterprises is twofold, Chou told TechNewsWorld. "On the IT side, they need to take management of Java browser plugins seriously. On the development side, this may be a good impetus to push these organizations to modernize legacy applications that use Java applets and port them to use HTML5 or some other technology."

The market is "already shifting to plugin-less browsing, and this [series of attacks against Java] will clearly accelerate that," Hilwa said.

Flawed Patching

Separately, Trustwave SpiderLabs has found a flaw in Oracle's January Critical Patch Update, released on Wednesday, that is somewhat related to the Java exploits.

This flaw is in the Oracle Application Framework, which was built using Java Enterprise Edition.

This flaw and the flaw for which an exploit is being sold "are for completely different product lines," David Byrne, managing consultant at Trustwave SpiderLabs, told TechNewsWorld. Still, the OAF flaw "is a major design flaw in the application" and better design practices and periodic security reviews "would have almost certainly prevented its introduction and led to earlier detection."

That raises the question of whether Oracle is doing enough to address the problem of vulnerabilities.

"I think Oracle will eventually work out a clearer strategy around Java in the browser, potentially outlining a direction where it ... may have to be sunsetted in the fullness of time," Hilwa remarked. "We have seen Java in the enterprise [is being] used less and less for client applications."

Oracle declined to comment for this story.

Facebook Twitter LinkedIn Google+ RSS
How do you feel about accidents that occur when self-driving vehicles are being tested?
Self-driving vehicles should be banned -- one death is one too many.
Autonomous vehicles could save thousands of lives -- the tests should continue.
Companies with bad safety records should have to stop testing.
Accidents happen -- we should investigate and learn from them.
The tests are pointless -- most people will never trust software and sensors.
Most injuries and fatalities in self-driving auto tests are due to human error.