Hackers have found a flaw in Oracle's Java software that allows them to break into users' computers and install nasty malware, security experts report. The attack, first spotted on Sunday by researchers at the security firm FireEye, is what security types call a "zero-day" threat, exploiting a previously unknown vulnerability for which there is currently no fix available.
The loophole appears to affect Java Version 7 (also known as 1.7) on all browsers. So far the attacks have been against PCs, but Mac users are vulnerable as well. Businesses should be especially concerned about targeted attacks, but just about anyone who uses Java on the Internet is at risk, especially since the attack has been added to the Internet's most popular hacking kit, BlackHole.
Given the potential seriousness and pervasiveness of the attacks — and Oracle's reputation for being slow on the draw in response to Java vulnerabilities — experts say that everyday Internet users should probably just disable Java entirely. Like, right now.
"Java has been the most exploited program for well over a year now and it simply isn't worth the risk," Chet Wisniewski of the security firm Sophos told me in an email. "I would recommend removing Java entirely, if you can."
That's not as problematic as it might sound. Java is not as popular on websites as it once was, and the average browser will rarely run across it, Wisniewski says.