The administrator of an exclusive cyber crime forum has sold a purportedly new Java zero-day exploit for $5,000, just days after Oracle rushed out a fix to a different Java zero-day, according to reports. This new bout of vulnerabilities has prompted critics to call on Oracle to fix Java already, rather than continually slapping Band-Aids on Sun's code.
In a message posted Monday to an Underweb hacker forum, the admin put up for sale weaponized and source code versions of a Java exploit, one that Oracle did not fix with the latest update, according to security blogger Brian Krebs. The asking price was $5,000, and at least two buyers reportedly jumped on the deal.
Though the purported new zero-day exploit has yet to be officially confirmed, it's certainly plausible. First, per Krebs: "I don't have the exploit or the source code or anything. That said, this was a sales thread posted by an administrator of this exclusive crime forum. It would be somewhat rare and ill-advised for a person in such a position to try to scam forum members, especially for just $5k."
Second, a critique of the latest Java patch by the OpenJDK community found that "while Oracle's quick fix appears to have broken the exploit chain ... building another chain could be possible -- and may already have happened within the shadows of the black-hat cracker community."
Java has proven a security nightmare for years. Part of the problem, as observed by InfoWorld Security Adviser Roger Grimes, is that companies neglect to turn off Java or to even roll out security patches as they emerge. The reason: "It's the number of mission-critical enterprise apps tied to specific Java versions. In case after case, IT security people say they can't patch Java in a more timely manner because doing so breaks too many vital applications."
Can Java be repaired, though? More important, has Oracle made an effort to find out? Krebs raised that very question as he called out the company for being negligent of the customers it unwittingly acquired when it consumed Sun in 2010:
I feel strongly that Oracle is an enterprise software company that -- through its acquisition of Sun Microsystems in 2010 -- suddenly found itself on hundreds of millions of consumer systems. Much of the advice on how to lock down Java on consumer PCs simply doesn't scale in the enterprise, and vice-versa. Oracle's unprecedented four-day turnaround on a patch for the last zero-day flaw notwithstanding, the company lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems. Oracle seems to be sending a message that it doesn't want hundreds of millions of consumer users; those users should listen and respond accordingly.
Zsolt Sandor, a veteran Java developer, said until Oracle gives Java a much-needed thorough code review, browsers makers should develop a Java applet whitelist, such that browsers simply would not allow unapproved applets from executing. "This would solve the 99.9 percent of the cases until the code review is made, and fixes are done," he wrote.
This story, "Is Oracle neglecting the consumer users it inherited from Sun?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.