A new zero-day vulnerability has been discovered in all currently supported versions of Java, which could potentially allow attackers to install malware on around 1billion Macs and PCs.
Announced on the Full Disclosure mailing list by security researcher Adam Gowdiak yesterday, the bug is present in Java 5, Java 6, and Java 7 — as Computerworld points out, it is particularly significant for users of versions of Mac OS X up to and including Snow Leopard 10.6, which come bundled with the software. The 1 billion figure is taken from installation statistics provided by Oracle.
Details of the vulnerability have not been publicly disclosed. Gowdiak says that he has handed all the details, including source code for the proof of concept exploit, over to Oracle to examine.
Oracle has reportedly confirmed plans to release a patch fro the issue, but has not released details on the timing of the release. It’s not clear if the patch will be released earlier than Java’s next regular update on October 16th. Oracle released an emergency “out-of-band” update last month, when a similar zero-day vulnerability began to be exploited by hackers.
No one is currently known to be using the exploit to attack computers.
Until there is a patch, security experts are encouraging users to disable the Java plug-in on all your computers. Details on how that can be done can be found at the United States Computer Emergency Readiness Team website.