The cat is out of the bag. There is 0-day out there currently being used in targeted attacks. The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails. Interestingly, Mark Wuergler mentioned on August 10 that VulnDisco SA CANVAS exploit pack now has a new Java 0-day. It makes you wonder if it is the same exploit that leaked from or was found in the wild and added to the CANVAS pack. Or if it is totally unrelated and there are two 0-day exploits now.
The purpose of this post is not to provide the vulnerability analysis or samples but to offer additional information that may help prevent infections on some targeted networks. We all know what kind of damage Java vulnerabilities can cause if used in drive by exploits or exploit packs and we think that revealing technical vulnerability details in the form of a detailed technical analysis is dangerous, while releasing working exploits before the patch is vain and irresponsible.
Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 - almost two months away. Oracle almost never issue out-of-cycle patches but hopefully they will do consider it serious enough to do it time.