An exploit for yet another critical Java software vulnerability began circulating online amid reports that the patch Oracle issued two days ago is incomplete.
In an article published Wednesday morning on KrebsOnSecurity, reporter Brian Krebs said a fully "weaponized" executable that exploits the bug was being advertised for $5,000 in an underground Internet forum. The price also included source-code for the exploit so that it could be folded into other types of attacks. The advertisement came one day after Oracle rushed out a fix for an earlier critical vulnerability that was being "massively" exploited online. Researchers classified that vulnerability as CVE-2013-0422.
Krebs said the latest attack exploited "a different and apparently still-unpatched zero-day vulnerability in Java." His article came around the same time researchers from antivirus provider Trend Micro warned that the Oracle patch may not be effective at blocking some attacks.