Next to Adobe Reader and Adobe Flash, Java is probably one of the most ubiquitous and widely used applications. Unfortunately, it also provides attackers with plenty of holes and vulnerabilities to exploit, which makes it a popular target.

Proof-of-concept (PoC) code has been developed for the Metasploit Framework tool. Wolfgang Kandek, CTO of , explains that this is concerning because it makes the exploit available to a much wider audience, and probably means more attacks targeting the Java vulnerability are on the horizon.

Andrew Storms, director of security operations for , is concerned that it could be a while before a patch or update is released to resolve the vulnerability and guard against these attacks. "Oracle isn't known for releasing patches out of cycle and the next scheduled update for Java isn't until October. Part of the problem is that Java is so ubiquitous that it tends to be overlooked as a 'small' piece of software."

Kandek warns that until a patch is released, the only real defense users can employ is to limit the use of Java or uninstall it altogether. Uninstalling it may be a tad extreme, though. There are options within the Java security controls to restrict its use to well-known websites that are less likely to harbor malicious exploits.

Right now, it seems that only the newer version of Java--v7--is vulnerable to the zero-day. Java 1.6 might be safe, although it's not entirely clear at this time. The current attacks are aimed at Java 7 on Windows, but the Metasploit Framework PoC exploit also works on Mac OS X so Apple users should be on guard as well.