Security experts are warning people to disable Oracle's Java software in web browsers, following the discovery of a zero-day flaw that has already been used to break into computer systems and spread malware.
Web security company FireEye announced on 26 August that it had spotted the new attack in the wild – that is, being used against systems by hackers, rather than passed around for discussion – and that until Oracle provided an update for Java: "Most of the Java users [online] are at the mercy of this exploit."
Oracle claims that Java is installed on more than 3bn devices, but security company Rapid7 says that only about 35% of users get updates for the software when patches to close security holes are issued.
Its data suggests that even among those who do update, nearly half take more than 60 days to do so.
The flaw affects versions of Java version 7 (identified as 1.7, for updates 0 to 6) though not version 6 and below.
On Monday, Atif Mushtaq of FireEye said he had started getting the first indication of a large-scale attack, in which a number of hacked websites were using the exploit to install malware on Windows users' machines – although Apple Mac machines could also be targeted.
However, Java 7 is not installed by default on Macs, which presently have version 6, which is unaffected.
Source: The Guardian