Today @Kafeine was the first to announce the new Java 0day. This 0day allows an attacker to execute malicious code on any desktop with Java 1.7 u10 (or prior) installed – which is the latest version from Oracle.
After some preliminary analysis it seems this 0day is using a similar tactic to CVE-2012-5088, which was patched by Oracle last October. On top of using java.lang.invoke.MethodHandle.InvokeWithArguments() from CVE-2012-5088, the attacker smartly takes advantage of MBeanInstantiator in order to get a reference to a restricted class from a trusted caller (MBeanInstantiator is trusted). This is accomplished via the findClass method, which in turn will call the inner loadClass method.The “heart” of the exploit:
We are glad to announce that all our customers using Trustwave's Secure Web Gateway are protected against this 0day attack. There’s no need for any additional updates to be applied. A good continuation of last year’s streak of 4 out of 4 Java 0days blocked out of the box.
We will continue monitoring this threat and provide protection to our customers.