Security Response recently blogged about the Java zero-day that is active in the wild and being distributed by the Cool Exploit Kit. In addition to Cool Exploit Kit, we are aware that several other major exploit kits such as Blackhole, Redkit, and Impact are also equipped to exploit this unpatched vulnerability.
Symantec Security Response is currently detecting JAR files served up by the various exploit kits as Trojan.Maljava and we have further protection in place with Trojan.Maljava!gen26.
Additionally, Symantec has released the following IPS signatures to proactively block the malicious JAR files and associated exploit attempts:
- Web Attack: Malicious Java Download CVE-2013-0422
- Web Attack: Java JMX RCE CVE-2013-0422
- Web Attack: Java JMX RCE CVE-2013-0422 2
- Web Attack: Exploit Toolkit Website 15
By blocking the JAR files containing the exploit, downloading and execution of additional malicious files will not occur.
Our in-field telemetry shows IPS technology is blocking about 300,000 exploit kit attacks every day. The following heat map based on IPS detections for this exploit shows geographic distribution over the past week:
The United States Department of Homeland Security advised users to disable Java in their browsers until a patch is released for the vulnerability.
Update [January 13, 2012] – Oracle has just released the patch and Symantec strongly urges all users of Java to download and install this patch as soon as possible. Oracle has also provided a blog for further details on the vulnerability.