Unfortunately, it has been found in some of the most prevalent crimeware kits being used to infect users with malware, so it is being targeted NOW.
The malicious JAR archives exploiting this vulnerability we've seen so far are detected by Sophos products as Mal/JavaJar-B.
As ever though, we would strongly recommend that users consider whether or not they require Java to be installed. If yes, ask whether it needs to be enabled within their web browser.
Remember, Java 7 update 10 introduced some very useful security controls for those that do require Java to be installed.
A single check-box can be used to disable the web plugin entirely, protecting you not just against this latest zero-day, but also against the ones we are likely to see during 2013.
There are other options within the new security controls, so if you require Java to be installed, take a look through the options now available to lock down your systems.
My advice? Don't delay. Don't put this on your security 'to do' list. Just secure your Java installation immediately.
Naked Security's Chet Wisniewski has put together simple instructions for users of the most popular browsers, explaining how Java can be disabled:
- How to disable Java in Internet Explorer
- How to disable Java in Firefox
- How to disable Java in Chrome
- How to disable Java in Safari
- How to disable Java in Opera
man rushing cartoon image courtesy of Shutterstock.