Less than a week has passed since Oracle patched the vulnerability in Java 7 Update 10 and another zero-day exploit – which is said to work on Java 7 Update 11 – is already being sold on the cybercriminal underground market.
Brian Krebs, who came across an ad for the exploit on a hacker forum on Monday, reveals that the author had offered to sell it to two people for the price of $5,000 (3,750 EUR). The buyers were promised an “encrypted” and “weaponized” version of the exploit.
In the ad he posted, the seller claimed that the exploit was not integrated into any known crime kits, not even in the expensive Cool Exploit Kit.
Krebs, the cybercriminal most likely found buyers since the post was removed from the forum.
This shows that the US Department of Homeland Security is right to advise users
to uninstall Java if they don’t need it for their everyday tasks.
In its advisory, the DHS has warned that Oracle might have addressed one issue, but some old vulnerabilities are still unfixed and security holes are identified in Java all the time.