We are still getting a lot of questions about Symantec's coverage of the most recent Java 0-Day. I thought I would take a moment to jot down a list of our current coverage for this event, and hopefully save everyone some time and hassle.
- 24063 - Web Attack: Malicious Java Download 3
Created prior to the advent of the 0day being used in the wild. This was detecting the Metasploit Exploit Module released for the exploit.
- 25826 - Web Attack: Blackhole Toolkit Website 30
Also created prior to the 0 Day. This detects BlackHole Toolkits trying to make use of the new vuln as well.
- 25903 - Web Attack: Malicious JAR Download 3 CVE-2012-4681
Built and released specifically to detect the exploit of the vuln.
- 25431 - Web Attack: Malicious JAR File Download 6
Although this signature was updated recently, it does not provide additional protection specific to this vulnerability.
This was reported incorrectly for a short time in the Security Response blog, but has since been corrected.
There has been some mention of a second Java 0-day but this seems to be a matter of semantics. The exploit requires both to actually function, so most researchers are considering them a single vulnerabilty. This may change, but its where wer are currently at.
That said, all the coverage information above, still holds true.
Security Response Blogs: