First Java 0day For The Year 2013

Today @Kafeine was the first to announce the new Java 0day. This 0day allows an attacker toexecute malicious code on any desktop with Java 1.7 u10 (or prior) installed –which is the latest version from Oracle.

After some preliminary analysis it seems this 0day is using a similar tactic toCVE-2012-5088,which was patched by Oracle last October. On top of using java.lang.invoke.MethodHandle.InvokeWithArguments()from CVE-2012-5088, the attacker smartly takes advantage of MBeanInstantiatorin order to get a reference to a restricted class from a trusted caller (MBeanInstantiatoris trusted). This is accomplished via the findClass method, which in turn willcall the inner loadClass method.

The "heart" of the exploit: Java 0day
We are glad to announce thatall our customers using Trustwave's Secure Web Gateway are protected against this 0day attack.There's no need for any additional updates to be applied. A good continuationof last year's streak of 4 out of 4 Java 0days blocked out of the box.

We will continue monitoring this threat and provide protection to our customers.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.