Critical zero-day vulnerability in Java has caused worldwide panic and unrest. The flaw is being exploited wildly, and there is an array of available code for this exploit. Metasploit was the first one to provide a proof-of-concept that works on a variety of browsers. The vulnerability is still unpatched, and although there are no reported criminal cases yet, there is no guarantee that it is not happening already. The safest way to go is to disable the Java plugin in your browser until Oracle releases a fix for the vulnerability.
This security hole affects all Java versions under the 7.X branch. It works across all browsers, including the touted as unbreakable and secure Google Chrome. Apparently, Google Chrome’s sandbox runs only Adobe Flash as sandboxed by default. The Java plugin is not part of the Chrome sandbox. Java is platform independent, and this exploit rides on this factor spreading to all popular platforms (Windows, Linux and Mac) with little effort. Though the most dangerous fact is that the vulnerability lets malicious code disable the Java Security Manager altogether.
The exploit has been successful in installing a variant of the Poison Ivy trojan. It is originating from servers in China and Oracle has not yet released any statement on fixing this exploit. The NakedSecurity blog at Sophos writes,
In his conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be.
Security experts are working on an unofficial patch for this vulnerability, as Oracle has the next scheduled Java update on 16 October.