On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC, and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here, and apply the latest update to pick up the exploit.
The above example is a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6. We have also tested the module against the following environments:
- Mozilla Firefox on Ubuntu Linux 10.04
- Internet Explorer / Mozilla Firefox / Chrome on Windows XP
- Internet Explorer / Mozilla Firefox on Windows Vista
- Internet Explorer / Mozilla Firefox on Windows 7
- Safari on OS X 10.7.4
As a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available. NOTE: A fix is now available (Java 7 Update 7), please patch your system ASAP!
To try out this exploit: Get your free Metasploit download now, or update your existing installation. Meanwhile, we will keep this blog updated when more progress has been made.
Aug 28 2012: This vulnerability has been assigned as CVE-2012-4681.
Aug 30 2012: Oracle has released Java 7 Update 7