Researchers are tracking a new, zero-day Java exploit that is being used in active attacks that may force users to disable the platform.
The vulnerability affects most versions of Java Runtime Environment, including the most recent iteration.
Proof-of-concept code has been published, and with no patch available, researchers now are bracing for an uptick in incidents beyond the limited and targeted occurrences that so far have been seen.
FireEye which discovered the flaw on Sunday said exploits are being launched from IP addresses based in the Asia region.
The exploit was added to the Metasploit Project penetration testing framework. and was expected to show up in the widely used BlackHole exploit toolkit, one of the most popular threats on the web.
"The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails," researchers Andre' DiMino and Mila Parkour of DeepEnd Security said in a blog post.
Oracle, which releases Java patches on a quarterly basis, isn't scheduled to fix the software again until 16 October, though researchers believe this vulnerability may warrant an out-of-cycle update.
In the meantime, DeepEnd Security said users should disable Java. But if they must run the technology, the all-volunteer organisation is offering an unofficial patch.
Michael Schierl, a German software developer and Java expert, told SC on Monday that this particular exploit only affects instances where the Java sandbox is used, such as in browser applets.
Other Java scenarios, such as when the software is used in back-end systems for applications or websites, are not impacted.
"My personal opinion is that Java in the browser is mostly useless these days and should not be used unless really needed," he said.
"Most things that Java applets used to do can be done with HTML5 [markup language] nowadays or, if needed, with SVG (Scalable Vector Graphics) or Flash. While Flash has its security problems too, the attack surface of Flash is a lot smaller and it is a lot harder to build a reliable exploit for Flash vulnerabilities.
"Java on the server or on the desktop, however, is a nice way to generally build more secure applications than in native languages like C++," Schierl added. "Just let its sandbox die."
