New Java 0-day Vulnerability [Update]

The recently discovered and widely talked about Java vulnerability received an official security advisory (CVE-2012-4681) in the wake reports of the 0-day being observed in targeted attacks.

Multiple advisories have been published stating that Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow or can lead to remote code execution. It has been confirmed that it can and does lead to remote code execution. This means exploitation of this issue can lead to host compromise through malware infection, etc. The vulnerability was quickly turned into exploit code for the Metasploit framework. Although current attack vectors (paths of exploitation) appear to be confined to browser induced execution of malicious JAR files, this vulnerability and its exploitation affect all systems (Mac OS, Linux, Windows, etc.) running JRE 1.7.

The issue also affects multiple browsers, including, but not exclusive to Internet Explorer, FireFox, Chrome, Safari, etc. Solutionary has received reports confirming that the exploit code for this vulnerability has been incorporated into the Blackhole Exploit Kit. As detailed in several previous posts and Solutionary Threat Reports, incorporation of such capability with such threats as this sophisticated attack toolkit greatly increases the severity and risk posed by this vulnerability.

Solutionary would like to reiterate that until the vulnerability is addressed and a patch released, you should consider disabling Java plug-ins / add-ons in your web browsers. This mitigation will have significant implications in browser functionality with web applications and Internet browsing if Java is needed, but if you keep Java enabled, you are vulnerable to this exploit.