An entrepreneurial hacker has found an exploit for a new zero-day vulnerability in Java and has sold it to at least two buyers at US$5,000 a pop, KrebsOnSecurity reports.
News of the latest vulnerability follows on from a critical bug that emerged last week for which Oracle rushed out a fix over the weekend. The new zero-day exists in the patch Oracle rushed out, Java 7 Update 11, the seller claimed.
Will the Real Cyber Shady Please Stand Up?
There’s a burgeoning trade in finding and selling exploits. However, the sellers aren’t all cybercriminals; some legitimate companies sell exploits to governments and law enforcement agencies around the world. Sales are unregulated.
One such company is Netragard, whose customers apparently include organizations in both the public and private sectors. Another is Vupen, which offers “exclusive and extremely sophisticated exploits for offensive security.”
This latest Java zero-day exploit is attracting attention because “the very high degree of attention given to this issue and Java security in general is making it propitious for hackers to offer such [exploits] quickly for sale,” Al Hilwa, research program director at IDC, told TechNewsWorld. “The value of their code is presumably highest before the patch is issued.”
Shutting Off Java No Snap
The U.S. Computer Emergency Readiness Team on Monday urged users to disable Java even after applying Oracle’s fix for the vulnerability discovered last week.
However, it may be difficult to determine which users can turn off Java in their browsers entirely without impacting legacy business applications that use Java applets, Andy Chou, chief technology officer at Coverity, warned.
Further, disabling a browser Java plugin doesn’t affect the ability to execute local Java applications on a PC, Trustwave SpiderLabs said. Installing the Java Runtime Environment lets users execute Java apps locally.
Also, “There’s a ton of Java applications out there that live on the server side that are not affected by recent vulnerabilities in the Java browser plugin,” Chou pointed out. It will be costly to remove Java from server-side applications “as the code would have to be rewritten, and the issues we’ve seen are really unrelated to this way of using Java.”
The US-CERT did not respond to our request to comment for this story.
The Impact on Organizations
The impact on enterprises is twofold, Chou told TechNewsWorld. “On the IT side, they need to take management of Java browser plugins seriously. On the development side, this may be a good impetus to push these organizations to modernize legacy applications that use Java applets and port them to use HTML5 or some other technology.”
The market is “already shifting to plugin-less browsing, and this [series of attacks against Java] will clearly accelerate that,” Hilwa said.
Flawed Patching
Separately, Trustwave SpiderLabs has found a flaw in Oracle’s January Critical Patch Update, released on Wednesday, that is somewhat related to the Java exploits.
This flaw is in the Oracle Application Framework, which was built using Java Enterprise Edition.
This flaw and the flaw for which an exploit is being sold “are for completely different product lines,” David Byrne, managing consultant at Trustwave SpiderLabs, told TechNewsWorld. Still, the OAF flaw “is a major design flaw in the application” and better design practices and periodic security reviews “would have almost certainly prevented its introduction and led to earlier detection.”
That raises the question of whether Oracle is doing enough to address the problem of vulnerabilities.
“I think Oracle will eventually work out a clearer strategy around Java in the browser, potentially outlining a direction where it … may have to be sunsetted in the fullness of time,” Hilwa remarked. “We have seen Java in the enterprise [is being] used less and less for client applications.”
Oracle declined to comment for this story.