Once again a zero day vulnerability exploit is sold by cyber criminals in the underground, once again a the flaw is related to Oracle’s Java software that could allow to gain remote control over victim's machine.
The news has been reported by KrebsOnSecurity blog that announced that the exploit being sold on an Underweb forum.
The vulnerability is related to the most recent version of Java JRE 7 Update 9, it isn't present in previous versions of the framework, in particular the bug resides within the Java class “MidiDevice according the info provided by the seller that describes it with following statements:
“Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,”
“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.”
The exploited class is a component of Java that handles audio input and output.
It's easy to understand that similar vulnerability has a great value due the large diffusion of the application and the possibility to infect multiple OSs.
It's has discussed in several occasions the business born around zero-day exploit marketing, in many cases the knowledge on unknown vulnerability could be sold for hundreds of thousand dollars and the factor “Time” is essential because the information must be sold before the producers of compromised application will patch it causing the annulling for the value of the vulnerability.
This time the seller is expecting a conspicuous gain at “five digits”, and claims seem to be in line with the actual market price for a similar vulnerability.
Mitigate the attacks is very hard, the framework is installed on 3 billion devices according Oracle and it must be considered also that Java JRE is multi-platform application and that today Java component is installed on the majority of web site.
Waiting for a patch the popular blog suggests to adopt two browsers for navigation, one to use when visit those web sites that require Java, another for ordinary web navigation taking care to disable Java plugin and add-in.
We just have to hope that these exploits do not end up in the wrong hands, it could be very dangerous!