Hackers have been able to exploit a new vulnerability to Java 7 update 6 to
infect computers with malware. This exploit has been found to work in all
Java 1.7.x run-time environments. The process is as follows:
1. A redirector is placed in the HTML.
2. At the redirected site, a malicious applet then installs a dropper (Dropper.MsPMs) without any notifications.
This exploit works on both Windows and Mac machines. Secunia rated the
vulnerability as extremely critical because it allows the execution of
arbitrary code on vulnerable systems without user interaction.
At the Black Hat security conference in July, security researchers warned that Java vulnerabilities are increasingly targetted by attackers. This is because of the widespread use of Java over various platforms and hackers can create exploits without having to worry about various security mechanism.
The largest issue with Java vulnerabilities is not the vulnerabilities themselves. The first issue is people may not install the patch. The second more unsettling situation is that Oracle is one of the most unresponsive vendors at the moment. They avoid communicating openly about security issues or confirming their existence, even to security researchers who report the vulnerabilities to them. Finally, Oracle is slow to respond with patches to prevent the vulnerability, which exposes people to the found vulnerability for longer periods of time.
Google Chrome automatically disables outdated plug-ins that are known to be vulnerable. Chrome also features a "Click to play" feature that requires the user to click on a plug-in embedded on a website in order to run it. This prevents automatic execution of enbedded plug-ins and security experts recommend enabling this. Mozilla has a plug-in blacklist for Firefox and actually used it to block vulnerable Java plug-ins in April in response to widespread attacks targeting a vulnerability in older versions.
Anti-virus programs will only stop this attack if it's recognized and a tool such as MalwareBytes will just prevent you from visiting explouted sites. That won't help if someone puts this exploit on web sites that everyone visits.
The best way to avoid this is to step back to Java 6 unless you really need
Java 7. Java 6 is still being maintained. Java 6 update 34 was released
August 14th.