Hello concerned citizens,


I suppose by now you've already noticed there has been a Java vulnerability -- CVE-2013-0422 -- exploited in the wild at least since mid-December.  This attack was first exposed by Kafeine in his blog post [here], and then quickly made its way to Metasploit for everybody to test the seriousness of the problem.  The exploit should work against all platforms -- Linux, OSX, Windows, with whatever browser you're using. Basically, if you're running Java 7 Update 10 or prior, you are unfortunately affected by this:


Screen shot 2013-01-10 at 1.27.47 PM.png


CVE-2013-0422 does not actually affect Java 6 or older, but if that's the case, you're probably vulnerable to something else.


As of now, there's no patch from Oracle.  Our recommendation is to completely disable Java until this bug is properly fixed.  If for some reason you cannot do that, then here are some mitigations you can try:


  • Update your Anti-virus definition, which should be able to block all known public exploits and variants.
  • In Java Control panel, under the "Security" tab, set the Security Level to "Very High".  Thanks to bannedit for the suggestion.
  • Pray that people think you're very very nice, so nobody wants to hack you.


If you'd like to try out this Metasploit module to better validate your computer's defenses, please feel free to download Metasploit from here.  If you habitually use Metasploit Framework, you can just run msfupdate now to obtain it.  If you're a Metasploit Pro user, you should have this exploit already.


Jan 13, 2013 - Oracle releases Security Alert for CVE-2013-0422.