Oh, Java, Java, Java.
No sooner had Oracle patched a widely reported critical flaw in its cross-platform software environment than another Java zero-day exploit — one against which there's no defense — reared its ugly head.
Meanwhile, two different security firms independently reported that Oracle's patch, released late Sunday (Jan. 13), only partly fixed the first exploit — which itself may have been the result of a flawed patch for a still older Java zero-day exploit.
Such a bargain
Security blogger Brian Krebs, who monitors underground hacker forums, spotted a posting Monday (Jan. 14) from a malware developer offering to sell an entirely new Java zero-day for $5,000.
"What you get?" the seller said in broken English. "Unencrypted source files to the exploit ... Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm [private message] me."
Without a copy of the source code or a demonstration of the exploit in action, it can't be verified if the seller was telling the truth. Krebs said the posting was later deleted, perhaps indicating that a buyer had been found.
But the incident illustrates how leaky Java, which was developed by Sun Microsystems nearly 20 years ago, can be.
As we reported last week, it's probably best just to disable Java entirely for Web browsers. Each new Java exploit is quickly built into browser exploit kits that lie in wait on infected Web pages.
It doesn't matter if you're on a Windows PC, a Mac or a Linux box. Java's built to run exactly the same way on all platforms.
(Just make sure you don't disable the Web scripting engine JavaScript. Despite the name, it's completely unrelated.)
Only halfway there
As for this week's patch being ineffectual, the two doubting security companies, Japan's Trend Micro and Immunity, Inc., of Miami Beach, Fla., aren't saying it doesn't work — for now.
But the critical flaw you heard about over the weekend was the result of two different flaws being combined into an effective exploit, and the Oracle patch apparently fixed only one of them.
Hence, the exploit no longer works, but the unfixed flaw is still there, waiting for someone to figure out another way to exploit it.
"The patch did stop the exploit, fixing one of its components," wrote Esteban Guillardoy of Miami Beach, Fla.-based Immunity Inc. on his company's blog. "But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."
Dan Goodin of tech blog Ars Technica tried to get Oracle to comment on both new developments, but was instead referred to the company's patch announcement from Sunday.
Krebs has his own theory for why Oracle, a well-run company known for its solid big-business database software, has been unable to get ahead of the Java security issue.
"I feel strongly that Oracle is an enterprise software company that — through its acquisition of Sun Microsystems in 2010 — suddenly found itself on hundreds of millions of consumer systems," Krebs wrote. "The company lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems."