Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night.

The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. The attack is triggered when people with a vulnerable version of the Java browser plugin visit a website that has been booby-trapped with attack code. FireEye researchers Darien Kindlund and Yichong Lin said the exploit is being used against "multiple customers" and that they have "observed successful exploitation."

The security of Java is reaching near-crisis levels as reports of new in-the-wild exploits have become an almost weekly occurrence over the past few months. In the past several weeks, Facebook, Apple, and Twitter have all disclosed that their computers were compromised by exploits that were later linked to a developer website that itself had been hacked and turned into a platform for exploiting zero-day vulnerabilities in Java. Microsoft has also said its computers were hacked in a manner consistent with the same attack. Oracle says Java runs on three billion devices, although only Java browser plugins have been targeted in the string of exploits.

According to FireEye, the observed exploit "is not very reliable, as it tries to overwrite a big chunk of memory." Most of the time, attackers succeed in downloading a malicious payload onto the targeted machine, but it fails to execute. A researcher from Russia-based antivirus provider Kaspersky confirmed the bug to IDG News but went on to say the vulnerability can't be triggered in older versions such as Java 7 Update 10. Kaspersky also said the attacks appeared to target specific individuals or organizations.

While some may be tempted to install an older Java version to protect themselves against this latest exploit, readers should remember that attackers continue to exploit already patched bugs, too. Earlier this week, researchers discovered two additional vulnerabilities in Java. Neither one involves memory corruption, meaning they aren't the ones being exploited in the latest attacks, Adam Gowdiak, CEO of Poland-based Security Explorations, told Ars.

As Ars has advised for months now, people who have no need for Java should consider uninstalling it altogether, uninstalling just the browser plugin, or using a dedicated browser for the handful of sites they frequent that require Java and a separate browser for accessing all other sites.