Pressure is piling onto Oracle over the security of its Java programming language, after a fresh exploit was touted on a hacker forum just days after the company released a patch for a separate security flaw.
At the beginning of the week, Oracle issued Java 7 Update 11 to fix critical flaw CVE-2013-0422, which was found in Java Update 10 and earlier versions of Java 7. The threat was so serious that the US Department of Homeland Security’s computer emergency team (US-CERT) recommended users completely disable Java in their web browsers, even after the patch was released.
“This will help mitigate other Java vulnerabilities that may be discovered in the future,” a CERT report said.
And Oracle faces are now reddening further after security blogger Brian Krebs found that a hacker has been selling another exploit for a seemingly unpatched zero-day vulnerability in Java. An administrator on an exclusive cybercrime forum posted that he was selling the exploit for as much as $5,000 (£3,122).
“New Java 0day [zero-day], selling to 2 people, 5k$ per person,” the message read. “And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.”
The thread has since been deleted from the forum indicating a sale has been made, something sure to bring more concern to Oracle.
In a bad week for the Java platform, it has been discovered that the Red October cyber-espionage network also took advantage of Java vulnerabilities while stealing sensitive data from a multitude of government bodies and research institutions across the world from 2007. Having only been uncovered in late 2012, ITProPortal investigated how it took so long for Red October to be discovered.