Endpoint Protection

Greetings everyone.

We are still getting a lot of questions about Symantec's coverage of the most recent Java 0-Day. I thought I would take a moment to jot down a list of our current coverage for this event, and hopefully save everyone some time and hassle.

Current Coverage:

• 24063 - Web Attack: Malicious Java Download 3
  Created prior to the advent of the 0day being used in the wild. This was detecting the Metasploit Exploit Module released for the exploit.

• 25826 - Web Attack: Blackhole Toolkit Website 30
  Also created prior to the 0 Day. This detects BlackHole Toolkits trying to make use of the new vuln as well.

• 25903 - Web Attack: Malicious JAR Download 3 CVE-2012-4681
  Built and released specifically to detect the exploit of the vuln.

Not-Coverage

• 25431 -  Web Attack: Malicious JAR File Download 6
  Although this signature was updated recently, it does not provide additional protection specific to this vulnerability.
  This was reported incorrectly for a short time in the Security Response blog, but has since been corrected.

2nd 0-day??

There has been some mention of a second Java 0-day but this seems to be a matter of semantics. The exploit requires both to actually function, so most researchers are considering them a single vulnerabilty. This may change, but its where wer are currently at.

That said, all the coverage information above, still holds true.

http://threatpost.com/en_us/blogs/researchers-identify-second-new-java-bug-082812
http://www.informationweek.com/security/vulnerabilities/java-zero-day-attack-second-bug-found/240006431

Security Response Blogs:

New Java Zero-Day Vulnerability (CVE-2012-4681)
Java Zero-Day Used in Targeted Attack Campaign