The latest Java version, Java 7 Update 10 contains a critical security vulnerability which is reportedly already being used for large scale cyberattacks. Users who have Java installed on their computers should deactivate the Java plugin in their browsers without delay.

A malware researcher calling himself kafeine has discovered an online exploit which makes use of a previously unknown Java vulnerability. Security experts at AlienVault have analysed the exploit and confirmed the significance of the find. They were able to use it to inject code onto a fully patched Windows system running Java 7 Update 10. It is currently unclear whether the vulnerability is also present in Java 6, though the exploit did not work in initial tests on Java 6 carried out by kafeine.

The vulnerability is, however, already being exploited by cybercriminals to distribute malware. Security blogger Brian Krebs says that attack modules for the Black Hole and Nuclear Pack exploit kits are already available. According to Krebs, a Black Hole developer calling himself "Paunch", posting on underground forums yesterday (Wednesday), heralded the zero day exploit as a New Year's gift for his paying customers.

Because the vulnerability, thanks to the various exploit kits, requires minimum effort to exploit, it is reasonable to expect that the number of web sites hosting the exploit is likely to rise exponentially over the next few days. Simply visiting an infected web site is all that's required to fall victim to a malware infection. The attack code may also be hosted on mainstream web sites.

Users should therefore deactivate the Java plugin in their browsers without delay. Instructions for doing so can be found on the following web pages:

In Opera, the plugin manager can be accessed by entering opera:plugins in the address bar. Disabling Java under Internet Explorer is not straightforward. Tests carried out by our associates at heise Security found that Microsoft's flagship browser was still able to access the Java plugin even after it had been explicitly disabled. Users running IE are therefore advised to uninstall Java completely using the Add or Remove Programs option in Windows' Control Panel. Users can check whether Java has been successfully deactivated using the Java test page in our browser check suite.

(sno)