A zero-day Java vulnerability that affects all versions of the browser plug-in has been incorporated in popular exploit kits used by cybercriminals, security experts say.
The exploits for the vulnerability have been implemented within the Blackhole, Cool and Nuclear Pack kits. The flaw affects all versions of the Java plug-in, including the latest Java 7 Update 10.
HD Moore, chief security officer for Rapid7, said the exploits have already been found on compromised websites, which are capable of infecting visitors' PCs with malware. The exploits affect computers running Java in browsers on Windows, Mac OS X or Linux.
"In terms of the impact, this is about as bad as it gets," Moore said.
A French researcher who uses the handle Kafeine discovered the vulnerability Thursday. "This could be mayhem," the researcher said of the flaw.
AlienVault was able to reproduce an exploit of the flaw in a fully patched new installation of Java. "The Java file is highly obfuscated, but based on the quick analysis we did, the exploit is probably bypassing certain security checks, tricking the permission of certain Java classes," researcher Jaime Blasco said in the AlienVault Labs blog.
A similar bypass mechanism was used in exploits of an earlier Java vulnerability, listed as CVE-2012-4681 in the National Vulnerability Database.
[See also: Vulnerability management - The basics]
"Right now, the only way to protect your machine against this exploit is disabling the Java browser plugin," Blasco said. "Let's see how long does it take for Oracle to release a patch."
Security experts often criticize Oracle for moving too slowly in releasing Java patches and for not sharing enough information about vulnerabilities. Oracle did not respond to a request for comment.
The Java plug-in has become a favorite of criminals looking to hijack PCs for botnets and to steal personal data, credit card numbers and online banking credentials. A large number of computers are infected through drive-by-downloads on compromised websites, which are typically infected through Web exploit tool kits.
Java plug-ins are particularly vulnerable because users often do not deploy security updates in a timely fashion. Rapid7 estimates that 65% of the installations today are unpatched.
Experts recommend disabling Java in browsers, unless it is needed to access specific applications. In the latter cases, a separate browser should be dedicated for that single purpose.
Read more about application security in CSOonline's Application Security section.