A new Java zero-day is currently being sold on the underground market by a cybercriminal who’s asking a five-digit sum for the exploit.
According to Brian Krebs
, the unpatched vulnerability affects all versions of Java JRE 7, but it doesn’t impact Java 6 or earlier variants.
The seller claims that the vulnerability exists in the MidiDevice.info class, which is responsible for handling audio input and output.
The exploit is allegedly very reliable for code execution, being tested with Firefox and MSIE on Windows 7.
Although the exact price hasn’t been revealed, the cybercriminal says he will only sell it “one time” for a five-figure sum.
On the other hand, who needs a zero-day when Oracle still hasn’t fixed an issue discovered months ago?
Although Security Explorations experts have demonstrated that the security hole which affects Java 5, 6 and 7 can be patched up in a matter of 30 minutes
, Oracle seems determined to keep to its CPU release schedule and address the issue only in February 2013