August 31, 2012, 7:36 AM — First, the bad news. Once again, Mac users are at risk due to a flaw in Java, similar to the one that enabled the Flashback Trojan. Even worse, there isn't (yet) a patch to fix that vulnerability. But don't worry: This time around, there's good news for Mac users: Thanks to changes Apple has made, most of us are likely to be safe from this threat.
That said, although you likely aren't at risk today, it is clear that Java still represents one of the biggest, most persistent security problems face users of all operating systems. So I recommend you consider implementing the precautions suggested below.
On Sunday, August 26, security vendor FireEye published information about a new Java attack that used a previously unknown Java vulnerability. The attack, which originated from China, affected the latest version of the Java Runtime Environment (Java 7, version 1.7). The attack comes through your Web browser when you browse to a malicious site and allows an attacker to silently take complete control over your computer.
After FireEye's initial post, details about the vulnerability quickly became public and exploits taking advantage of it appeared in multiple attack tools. Further research by security vendor Immunity Inc. indicated that the active exploit actually took advantage of two separate unpatched Java vulnerabilities (what we, in the industry, call zero-days).
The exploit for the first vulnerability was quickly added to the BlackHole exploitation kit--one of the most widely used malicious hacking tools. The exploit is also now available as an attack in the Metasploit penetration-testing framework, which is freely available and favored by script kiddies and security professionals (myself included) throughout the world.