Hackers Tout Fake Java Patch As Fresh Exploit Sells For Thousands

An exploit sells for a separate flaw to the one that caused havoc earlier this month

The latest Java zero-day saga has taken another fresh twist, as malicious hackers started offering a fake patch as bait for fresh attacks, whilst an exploit for another flaw has reportedly sold for well over its $5000 asking price.

The most recent new weakness to hit Oracle’s software was used in various attacks, as exploit kits used it to serve up malware via hacked websites. Larry Ellison’s firm issued a patch, but that hasn’t stopped hackers hitting Java in any way they see fit.

More Java joy

Trend Micro spotted “malware under the veil of a Java update”, “Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system,” the security firm noted in a blog post.

“In light of the recent events surrounding Java, users must seriously consider their use of Java.”

Meanwhile, noted security blogger Brian Krebs gave an update today on what he believed to be a separate Java zero-day flaw. Underground sellers were offering an exploit for the vulnerability for $5000, but Krebs said sources indicated it “actually sold for quite a bit more”.

A “bidding war ensued”, according to Krebs, who reported on a sales pitch from the “underweb” offering access to two people to unencrypted source files to the exploit.

Oracle still hasn’t patched a number of Java flaws, which could allow for remote code execution, even though it was alerted to the vulnerabilities by a security firm way back in September. Oracle was even offered guidance as to how to fix the flaw in less than an hour, but still has not offered an update.

Interested by tech and fascinating plots? Try our tech in the movies quiz!