Apple published an updated version of Java 1.6 for Mac OS X containing security in depth changes. Java 1.6 was not vulnerable to the exploit that affected the newer Java version v7, but Oracle included a new version nevertheless in last week’s update. We recommend installing this update according to your normal update schedule.
Oracle just released an out-of-band patch for the flaw CVE-2012-4681
The use of this exploit for the Java 0-day is continuing to spread – Websense states that the exploit has been detected on over 100 sites so far.
The best defensive option continues to be to limit use of Java 7. The US CERT has a good comprehensive list of technical measures.
There is also some information about the initial disclosure of the vulnerability. Polish security research company Security Explorations reported this and a number of other Java vulnerabilities to Oracle in April. However the exploit in the wild uses a slightly different codepath and so they do not believe that is based on their reports, but rather that attackers found the vulnerability independently.
Deep End Research has some more information available, including a pointer to an unofficial patch and some details on its workings. David Maynor from ErrataSec put the Metasploit module through its paces and it performs well under Windows, Mac OS X and Linux.
Over the weekend, an exploit for a new Java 0-day vulnerability was described by Atif Mushtaq at the FireEye Malware Intelligence Lab blog. The attackers serve a malicious piece of Java code through a web server to a browser, install a Trojan.Dropper, which then gets the final malware, a Remote Access Trojan installed on the machine.
Earlier today Proof-of-Concept code was integrated into the Metasploit Framework and the code works against Windows, Mac OS X and Linux as long as they have any version Java v7 (any available versions, even the latest revisions) installed.
We expect this exploit to be integrated into the current Exploit Kit frameworks soon and gain widespread use.
IT administrators only defense at the moment is to limit the use to Java. This can be implemenetd by uninstalling Java where not needed or by using the Zone mechanism in Internet Explorer, forbidding Java use in the Internet Zone (setting Registry Key 1C00 to 0 in Zone 3) and allowing it only on whitelisted websites in the Trusted Zone.
Mac OS X can turn off Java by unsetting the "On" field in their Java Preferences program, but note that recent versions of Mac OS X have included a generic and proactive security measure that deactivates Java if it has not been used in the last 35 days.
For once, users of the older Java v6 do seem to be better off as the vulnerability does not affect that version of Java. Stay tuned for more information.