Just in time for the new year, there's a new Java zero-day exploit out in the wild.
It's already being used by criminals to attack your Web browser, and the only defense is to disable Java for browsers altogether.
"Java 0 day Spotted and massively exploited in the Wild! Disable Java plugin now (or remove it)," tweeted the French security researcher who calls himself Kafeine earlier today (Jan. 10).
Kafeine linked to technical details on his blog, and researchers at AlienVault, a digital-security provider in San Mateo, Calif., quickly confirmed what he'd found.
Translating the Russian-language screenshots from hacker forums that Kafeine had posted, American security blogger Brian Krebs noticed that "Paunch," the leader of the group behind the Blackhole and Cool browser exploit kits, had announced the new exploit to his clients as a "New Year's gift."
It's possible that the Java zero-day is a product of Paunch's new $100,000 bug-bounty program, in which the criminal's gang pays independent researchers for new exploits.
Kafeine noted that the Nuclear Pack and Redkit exploit kits had also incorporated the exploit.
Browser exploit kits are one-size-fits-all bundles of malware that attack Web browsers with one exploit after another until something gets through and infects the target system. Exploit kits are inserted into Web pages, often without the knowledge of site administrators, by criminal gangs bent on profit.
As with most zero days, this exploit is so new that most anti-virus software won't be able to protect against it.
The programming language Java was developed in the mid-1990s to run on "virtual machines" that could be embedded in any computer platform, and hence let software developers save time by building applications only once.
It was quickly adapted by Web developers who wanted to create small browser-based applications that could run on both Macs and PCs (not to mention Linux and Unix).
But Java's virtual machine for desktops and laptops has been plagued by security problems, with a seemingly endless number of vulnerabilities and exploits in the past few years.
Apple no longer enables Java by default in its Mac OS X operating system. Many security experts recommend that Windows users disable Java unless it's absolutely necessary.