Users can forbid the use of Java in the Internet Zone by setting the Windows registry key 1C00 to 0 under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 and allowing Java only on whitelisted websites in the Trusted Zone, Kandek said Monday in a .
Meanwhile, users of Google Chrome and Mozilla Firefox can achieve a similar result by enabling the click-to-play feature that blocks plug-in-based content from loading by default and asks for user confirmation. The feature allows website white-listing.
Chrome has supported "click to play" for a long time and can easily be done from the advanced settings interface. However, in Firefox the feature is still a work in progress and can only be activated by switching the "plugins.click_to_play flag" -- only available in Firefox 14 and above -- to "true" in the "about:config" interface.
The popular NoScript security extension for Firefox also forces click-to-play behavior for plug-in-based content and other extensions that provide similar functionality are available for download from the Mozilla add-ons repository.
"Click to play" blocks the automatic exploitation of this vulnerability, but does not prevent users from manually allowing malicious applets to execute when prompted to take a decision about them. Therefore, the task of assessing the risk ultimately falls with the user.