A new vulnerability was found last week in the latest Java 7 runtime from Oracle. The vulnerability is currently being used by malware developers to exploit systems with runtime installed.
Similar to the Flashback malware seen affecting Mac systems with unpatched versions of Java installed, this latest threat uses a drive-by attack in which simply visiting a malicious Web page will result in the Java applet running and compromising the system.
When the exploit loads, systems may see a blank Web page with no activity, but may also see a brief Java icon with "Loading" text before this icon and text vanishes.
Being a vulnerability in Java, the exploit has the potential to be cross-platform and, according to ComputerWorld, Mac systems with the Java 7 runtime are vulnerable. While there are no known attempts to use this vulnerability to specifically target Mac users, the exploit has been successfully triggered in both Safari and Firefox on Macs running Mountain Lion. Furthermore, the means to exploit this malware have been found distributed in underground malware development kits, making its easier for the exploit to be developed into malware by those wishing to target Mac users.
Luckily not being an Apple-supplied product and given that the current exploit is only in the latest Java 7 runtime means relatively few people will be at risk so far for this threat. You will have to both install Oracle's Java 7 package and run across a Mac-specific exploit for this vulnerability, which to date has yet to be discovered.
Nevertheless, the vulnerability being open means the potential is there for hackers to take advantage of it, as was seen with the evolution of the Flashback malware.
When notable exploits began appearing for past versions of Java that Apple supported, the company took very basic but effective measures at tackling the issues, with the predominant one being to automatically disable the Java browser plug-in for systems that do not regularly use it. Unfortunately, Oracle's Java runtime does not support these security measures, so as long as it is installed it will remain active by default.
Unfortunately, even with this vulnerability being exploited, Oracle updates Java on a quarterly basis so unless the company breaks this schedule (a rarity) to address this issue, then users have to wait until October to receive a patch. Some third-party have developed their own patches for the runtime, but are only issuing them to specific organizations that have special needs for them.
As a result, if you have Java 7 installed on your system then the only effective means of closing this vulnerability is to disable the Java plug-in or remove the Java runtime altogether. To do this, you can uncheck the "Enable Java" option in the Security section of the Safari's preferences, or in Firefox go to the Add-ons option in the Tools menu and click the Disable button next to the Java plug-in listed there. If you choose to disable the plug-in only then you will have to do so independently for all browsers you run. Therefore, another option is to uninstall the Java runtime by going to the /Macintosh HD/Library/Java/JavaVirtualMachines/ folder and removing the file called "1.7.0.jdk."