Call it malware cash and carry: Less than 24 hours after Oracle on Sunday released a security update that addresses two critical zero-day vulnerabilities in Java that are being actively exploited by attackers, an online vulnerability seller began offering a brand-new Java bug for sale.

“On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $ 5,000 each,” said security reporter Brian Krebs, who was the first to report the vulnerability sales offer.

What does a starting price of $ 5,000 buy? “The hacker forum admin’s message … promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits,” said Krebs.
Network Computing