Another Java Exploit For Sale

tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."

Doesn't Oracle have a bug bounty program for Java?

[thue]

Surely the bad publicity from a root exploit is worth more to Oracle than $5000? $5000 is peanuts in this context. Why doesn't Oracle have a bug bounty program to avoid problems like this?

Re:Oracle owns Java now?

[hairyfeet]

The problem is that 2 different security groups have been analyzing the flaws that the malware guys used for the last exploit and say it could be 2 years before a proper fix is in place because the underlying code is "a mess".

Of course any of us who had to deal with Sun's products in the past could have told them this, Sun was pretty piss poor when it came to code and security, this is why I've been saying give the LO guys at least 3 years before we start bitching simply because it'll probably take that long to clean up the mess Sun left.

The monkey in the wrench though, the fly in the ointment, the pain in the ass, is that Java usage was waaay down among consumers....until that fucking game showed up. I hope the guy who wrote Minecraft is happy because just when we had weened a lot of home users away from the tripe that is Java he had to build a hit game on it and drag us all back into the mess. I don't know which is worse, Micecraft bringing shitty Java back to the consumer desktop or that fact Java will add the browser plugin (along with crapware) every time you update the damned thing. But in any case the malware writers are gonna have a field day as all those Minecraft installs are a botnet waiting to happen and if those security researchers are right all Oracle can do is slap band aids on the mess that is Java..