It's a sunny (zero) day for Java

Java exploits have beenused for distributing malware for a while. See for example our blog post fromlast month.

Today a new Java 0-day vulnerability has surfaced up. Itcame with a public PoC armed and ready for exploitation, and even a Metasploitmodule was published just a few hours later. The "best" part is that currentlythere is no patch publicly available, nor any estimates as to when it will bereleased… all the necessary ingredients for a mass exploitation party!

But there is some good news as well – customers ofall versions of Trustwave Secure Web Gateway are protected from this 0-day without any need for anupdate. This is the 4th 0-day Java exploit in the last year or so, but in allof these cases our customers had protection from day zero.

We wish you safe browsing!

Update 08/30/2012: Although this exploit actually leverages two different vulnerabilities, CVE-2012-4681 has now been assigned to it.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.