Hacker Selling Java Zero-Day Vulnerability Online
According to researchers at Krebs on Security, an issue in the latest version of Java is being shopped around online by an unknown seller.
"According to the vendor, the weakness resides within the Java class 'MidiDevice.Info,' a component of Java that handles audio input and output, said Krebs on Security's Kevin Mitnick, who has been in contact with the mystery seller. "'Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,' the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. 'I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.'"
While an exact price was not given, the user told Mitnick that he was looking for an offer of "five digits."
Mitnick took the opportunity to remind users of a precautionary action that seems to be prescribed more and more by security experts: just dump Java.
"I have repeatedly urged readers who have no use for Java to remove it from their systems entirely," said Mitnick. "This is a very complex program that is widely installed (Oracle claims that some 3 billion devices run Java), and those two qualities make it a favorite target for attackers."
Oracle has not commented on the validity of the flaw.