We observed that a Java security bypass zero-day vulnerability (CVE-2013-0422) has been actively exploited in the wild starting Jan. 2. We have been able to reproduce the attack in-house with the latest Java 7 update (Java 7 update 10) on Windows.

We initially wanted to hold off on posting this blog entry until we received confirmation from Oracle; however, since other researchers are starting to blog on this issue, we have decided to release our summary. We will continue our research and continue to share more information.