Slashdot Mirror
Another Java Exploit For Sale
tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."
Surely the bad publicity from a root exploit is worth more to Oracle than $5000? $5000 is peanuts in this context. Why doesn't Oracle have a bug bounty program to avoid problems like this?
Actually, this sounds off to me. $5K for an exploitable Java vulnerability? That's waaaaaay too cheap for the exploit market...white, grey or black. I think this guy is selling a crock of shit, but he knows that the big-money purchasers would be able to tell. So he's offering it for chump change, which is exactly what a chump happens to have on hand to pay.
For your security, this post has been encrypted with ROT-13, twice.
The problem is that 2 different security groups have been analyzing the flaws that the malware guys used for the last exploit and say it could be 2 years before a proper fix is in place because the underlying code is "a mess".
Of course any of us who had to deal with Sun's products in the past could have told them this, Sun was pretty piss poor when it came to code and security, this is why I've been saying give the LO guys at least 3 years before we start bitching simply because it'll probably take that long to clean up the mess Sun left.
The monkey in the wrench though, the fly in the ointment, the pain in the ass, is that Java usage was waaay down among consumers....until that fucking game showed up. I hope the guy who wrote Minecraft is happy because just when we had weened a lot of home users away from the tripe that is Java he had to build a hit game on it and drag us all back into the mess. I don't know which is worse, Micecraft bringing shitty Java back to the consumer desktop or that fact Java will add the browser plugin (along with crapware) every time you update the damned thing. But in any case the malware writers are gonna have a field day as all those Minecraft installs are a botnet waiting to happen and if those security researchers are right all Oracle can do is slap band aids on the mess that is Java..
ACs don't waste your time replying, your posts are never seen by me.
It's so weird. This betrayal at acquisition seems to play out over and over. A great team is disbanded by the heavy-handed and mouth-breathing attitude of the new boss.
I'm reminded of the Easter egg in Amiga OS 1.2, which was a secret message accessible by an obscure sequence of keystrokes, UI mouse clicks, and floppy disk ejection/insertion.
Welcome to the Panopticon. Used to be a prison, now it's your home.