Researchers at the respected security firm FireEye have discovered yet another Java zero-day attack that leverages previously unknown vulnerabilities with the latest versions of Java (as of this writing Java v1.6 Update 41 and Java v1.7 Update 15) to install malware. This comes on the heels of a discovery of two other holes (as yet unexploited) by the Polish firm Security Explorations this past week.
The exploit in question is actually unreliable and contains buggy and poorly implemented code. Rest assured, however, that the hackers will perfect their code in no time – they probably already have. The flaw will allow “drive-by” attacks using legitimate but infected websites that contain the code to automatically download and execute the malware payload on your PC or Mac. Your antivirus software cannot prevent this from happening.
What can you do? Here are a few steps to follow:
- Stop using Internet Explorer. There’s no easy or reliable way to disable Java in IE so it’s better to switch to Firefox or Chrome for your primary web browser.
- Disable Java in Firefox, Chrome, or Safari.
- Unless you’re sure you need it, just uninstall Java altogether.