While half of the globe was busy yesterday having the “lols” about the Japanese kitten rigged with a malware-infested flash device attached to its collar, serious stuff was going down in Javaland.
UPDATE: On January 13, Oracle issued a partial fix for the issue. The patch is now available on the Oracle web portal and updates the java version to 1.7 Update 11. You are advised to update immediately, but manifest caution when visiting web pages outside of your trusted websites list.
Remember that Oracle shipped the new version of Java with built-in disabling features sometime before Christmas? Now would be a great time to put these to good use, as a new zero-day exploit targeting Java 1.7 rev 10 has just made its way into a brand-new exploit kit tailored for exclusive clientele.
We’re digging into the issue, but, until we come up with a fix for that, it would be a great idea to flush Java off your computer or, at least, to turn off the Java plugin for the browser you’re using to navigate the Internet.
In 2012, Java was hit by two super-critical bugs that have been rapidly included in the Blackhole exploit pack, one of the most popular attack toolkits to date. Following the first series of attacks in August against machines running Java 1.7, Java maker Oracle issued a fix that only made things worse. The patch made way for a similar exploit that now affects Java 5, 6, and 7 alike.
Given the current situation, you are strongly advised to put Java down and keep it that way until things get sorted out. Also make sure that you DO NOT follow any spammy links, regardless of how appealing they might look like in the following days.