Day after patch, Java zero-day sold to highest bidders

Less than a day after Oracle issued a patch for a vulnerability in its Java browser plug-in software that was allowing attackers to get control of Windows PCs, yet another zero-day exploit for an unpatched Java security hole was being marketed on the Underweb.

Brian Krebs, author of the KrebsonSecurity blog, reported on Wednesday that on Monday "an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each."

Krebs posted a portion of the message, which said the buyers would get, "unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt... they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me."

That message had been deleted by Wednesday, which likely meant the seller had found another buyer, Krebs said. "[That] should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program," he wrote.

"Java is fundamentally broken because it is built upon a broken promise: That it runs in a protected sandbox which somehow protects the user," Krebs told CSO Online on Wednesday.

Sunday's patch was an effort to quiet a firestorm of criticism and calls not only from a majority of security experts but even the Department of Homeland Security (DHS) for consumers to disable Java on their PCs.

This latest report intensified some of those calls, but also a bit of pushback, although not in the form of any major defense of Oracle. Simon Crosby, cofounder and CTO of Bromium, argued in a blog post on Tuesday that banning or disabling Java would not solve the problem. "Humans develop buggy code -- in all languages -- and though the more modern ones are harder to exploit, they can all be subverted," he wrote. "Moreover, many users (and businesses) depend on Java ... banning it would severely impact my ability to work."

Crosby wrote that "micro-virtualization" can solve the problem with Java and other insecure applications with "hardware isolation to enforce 'need to know' on a per-task basis on the endpoint."

[See related: Java vulnerabilities increasingly targeted by attackers, researchers say]

That would be a longer term solution, he said. "It guarantees that when the next zero-day comes along, the attacker cannot steal any information or gain access to the corporate network."

Isolation was, of course, a recommendation Krebs also made. And while acknowledging that Java could be necessary on some sites, he notes: "Most users can -- and should -- get by without it."

Krebs and others have been saying for some time that Oracle doesn't really want millions of consumer users anyway. "Oracle is an enterprise software company that -- through its acquisition of Sun Microsystems in 2010 -- suddenly found itself on hundreds of millions of consumer systems," he wrote.

In a later tweet, he added, "In the end, Oracle doesn't want all these home/end users. The sooner these users stop being that, the better for all."

Oracle did not respond to a request for comment.

It may not be that simple, however. Rich Mogull, analyst and CEO of Securosis, noted that Java has a massive enterprise base. "Oracle isn't a consumer company, but Java is the sort of thing that bridges consumer and enterprise," he said.

But he agrees with Krebs that the Java sandbox has too many holes in it, "allowing code to escape and execute unsafely."

Bogdan "Bob" Botezatu, a senior e-threat analyst at Bitdefender, said Oracle has the same responsibilities towards all its customers. "After all, Java has a huge market share on end-user devices, such as Android, for instance and Oracle should cater to all its customers equally," he said.

But experts were unanimous on one key point: Don't trust Java to be secure. "For companies that regularly interact with Java via browsers, we recommend that they use one browser for surfing the web, with the Java plugin disabled, and another for intranets or secure resources running Java, with the Java plugin enabled," Botezatu said.

Krebs recommends a two-browser approach (one dedicated for use only with needed Java applications) for those who really need Java. But, he stresses most consumers do not need it. "A big part of the danger is that many users who have Java on their computers don't even know they have it installed, nor can they recall why it was installed in the first place," he said.

"What I'd like to see is an app or method -- perhaps from Oracle? -- that would help users determine when was the last time their computer used Java and for what purpose," he said. "That, I think, might help a lot of people get off the fence and finally uninstall Java."

Jeremiah Grossman, founder and CTO of WhiteHat Security, backs that idea. "It is better to uninstall Java entirely if one does not need it, as most don't," he said. "This will end the constant stream of patches."

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsUnderwebzero-daysecurityData Protection | Application SecurityAccess control and authenticationjavasoftwaredata protectionOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place