Krebsonsecurity reports that a Java Zero-Day is being sold on underground forum for tens of thousands of dollars, he didn’t list a specific price.
The fault, presently being sold by a member of an invite-only forum, targets a vulnerability in Java JRE 7 Update 9, the latest version of Java the seller claims this flaw does not exist in Java 6 or earlier versions. According to the vendor, the weakness resides within the Java class “MidiDevice.Info,” a component of Java that handles audio input and output. “Code execution is very reliable, worked on all 7 version I tested with Firefox andMSIE on Windows 7,” the seller explained in a sales thread on his exploit.
Why are Java exploits so valuable? Oracle claims that some 3 billion devices run Java, this includes phones, Macs, PCs, and Linux operating systems.