Krebs on Security – (International) Java zero-day exploit on sale for ‘five digits’. Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned. The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions). According to the vendor, the weakness resides within the Java class “MidiDevice.Info,” a component of Java that handles audio input and output. “Code - 13 - execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,” the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected.
Ali Loney, on November 27, 2012