Connect with us

Hi, what are you looking for?



New Java Zero-Day Exploit Appears In Underground Market

An exploit for a Java zero-day is on sale for “five digits” in an underground forum, according to a recent report.

An exploit for a Java zero-day is on sale for “five digits” in an underground forum, according to a recent report.

The previously unknown security flaw exists within the Java class “MidiDevice.Info,” which handles audio input and output, security writer Brian Krebs wrote on his KrebsOnSecurity blog Tuesday. Attackers could exploit the vulnerability to remotely seize control of systems running the maliciously-crafted Java program, Krebs said. According to the sales pitch posted on the invite-only Underweb forum, the seller claimed the exploit worked on both Firefox and Internet Explorer Web browsers on Windows 7 machines.

Java Exploit ForumsWhile the seller did not set a specific price on the exploit, the “five digits” he is expecting is “roughly in line” with a different Java zero-day exploit that was sold on the underground over the summer, Krebs said. The author of the BlackHole exploit kit had said at the time that particular exploit would have cost “about $100,000” if sold privately.

“I will sell only this ONE TIME and I leave no guarantee that it will not be patched so use it quickly,” the seller warned.

Advertisement. Scroll to continue reading.

Security experts have repeatedly warned that users should disable the Java plugin on their Web browser and uninstall the software. Criminals are increasingly targeting Java because of its broad install base and if users uninstalled the Java Runtime Environment from their computers, they remove an entire attack vector.

“Realistically, everyone should act as if there is a zero-day attack in every browser plug-in,” Marcus Carey, security researcher at Rapid7, told SecurityWeek.

However, for some businesses, the Java Runtime Environment is still essential, so it’s “unfeasible” to ask employees to not use Java altogether, Carey said. A good example is WebEx, the video conferencing software widely used by many organizations to have online meetings. For those organizations, Carey recommends using two browsers—one with the Java plugin disabled, and one with the plugin enabled—and designate the non-Java browser as the default.

Krebs also reported the Java zero-day was present in the latest version of Java, Java JRE 7 Update 9, which Oracle released just a month ago on Oct. 16. This flaw, like some of the ones discovered in recent weeks, does not exist in Java 6 or earlier versions.  SecurityWeek last week reported on a remote execution security vulnerability in Java Applet JAX Web services which was recently added to both BlackHole and Gong Da exploit kits and also does not affect Java 6 or earlier versions. Back in August, FireEye reported on a Java zero-day being targeted in the wild which affected only Java 7.

It’s the season to go shopping and it appears exploit developers and attackers aren’t sitting out the fun.  Just last week (on Black Friday, no less) Krebs uncovered a seller offering access to a cross-site scripting vulnerability in Yahoo for a mere $700.

Earlier this month, researchers at Group-IB discovered a zero-day vulnerability in Adobe Reader being sold on criminal forums for between $30,000 and $50,000. The flaw reportedly bypassed the internal Adobe X sandbox and has not yet been patched.

Adobe is still investigating whether the alleged zero-day “is in fact a vulnerability and a sandbox bypass,” but the security team still has not seen a proof-of-concept or a sample, a company spokesperson told SecurityWeek. “Without it, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape,” she said.

The fact that the exploit cost $50,000 meant likely customers were limited to defense contractors, nation-states, and some criminal organizations that may be able to recoup the price tag, Carey said at the time. The Reader exploit wasn’t a widespread threat to most consumers yet, but Carey warned that if it was ever added to BlackHole or other exploit kits, it might pose a bigger threat.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.