On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC, and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here, and apply the latest update to pick up the exploit.

The above example is a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6. We have also tested the module against the following environments:

Mozilla Firefox on Ubuntu Linux 10.04

Internet Explorer / Mozilla Firefox / Chrome on Windows XP

Internet Explorer / Mozilla Firefox on Windows Vista

Internet Explorer / Mozilla Firefox on Windows 7

Safari on OS X 10.7.4

As a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available. NOTE: A fix is now available (Java 7 Update 7), please patch your system ASAP!

To try out this exploit: Get your free Metasploit download now, or update your existing installation. Meanwhile, we will keep this blog updated when more progress has been made.

---

Aug 28 2012: This vulnerability has been assigned as CVE-2012-4681.

Aug 30 2012: Oracle has released Java 7 Update 7