At the end of August we were urging everyone to disable Java on their machines due to a zero-day exploit being used to install malware. There was no patch available due to the slow pace at which Oracle moves, so the only way to protect against it was to disable Java completely.
Security expert Brian Krebs has highlighted the fact another zero-day exploit has been discovered and is currently being offered for sale on the invite-only forum called Underweb. The seller wants a five-figure sum for the exploit, which he says takes advantage of a flaw in the Java component that handles audio input.
The exploit works on the most up-to-date version of the Java Runtime Environment (JRE 7 Update 9) and has been tested and works on Windows 7 using either Internet Explorer or Firefox.
The sale was being offered last week, meaning by now it may be owned by someone willing to use it. Alternatively, others could have discovered the exploit too, and are now taking advantage of it, or at least planning to.
With Oracle’s slow response to the last zero-day exploit we can probably expect more of the same this time around. Although, you’d hope the company’s Java security team would learn from that experience.
If you currently have Java installed on your machine, is there a reason why? If you can’t think of one then remove it and make your PC all the more safer. It’s easy to do, just follow our guide on How to disable Java on everything.
More at Krebs on Security