Java exploits have beenused for distributing malware for a while. See for example our blog post fromlast month.
Today a new Java 0-day vulnerability has surfaced up. Itcame with a public PoC armed and ready for exploitation, and even a Metasploitmodule was published just a few hours later. The "best" part is that currentlythere is no patch publicly available, nor any estimates as to when it will bereleased… all the necessary ingredients for a mass exploitation party!
But there is some good news as well – customers ofall versions of Trustwave Secure Web Gateway are protected from this 0-day without any need for anupdate. This is the 4th 0-day Java exploit in the last year or so, but in allof these cases our customers had protection from day zero.
We wish you safe browsing!
Update 08/30/2012: Although this exploit actually leverages two different vulnerabilities, CVE-2012-4681 has now been assigned to it.