Java exploits have been used for distributing malware for a while. See for example our blog post from last month.
Today a new Java 0-day vulnerability has surfaced up. It came with a public PoC armed and ready for exploitation, and even a Metasploit module was published just a few hours later. The “best” part is that currently there is no patch publicly available, nor any estimates as to when it will be released… all the necessary ingredients for a mass exploitation party!
But there is some good news as well – customers of all versions of Trustwave Secure Web Gateway are protected from this 0-day without any need for an update. This is the 4th 0-day Java exploit in the last year or so, but in all of these cases our customers had protection from day zero.
We wish you safe browsing!
Update 08/30/2012: Although this exploit actually leverages two different vulnerabilities, CVE-2012-4681 has now been assigned to it.