A new year has arrived, as has a new Java 0-day vulnerability. The vulnerability is present in all Java version up to version 7 update 10. There is currently no patch available for this, and it has already been integrated into the BlackHole exploit kit. As many of you know, Java runs on all platforms, so it doesn’t matter if you run Windows, Mac or Linux, you’re all at risk. Last time this happened, we advised you to uninstall or disable Java in your browser if you don’t have a specific need. I want to reiterate this once more. You can click on this link to see if you have Java installed: http://www.java.com/sv/download/installed.jsp
We suggest that you either uninstall Java if you have no need whatsoever for it, disable it in your Main browser (so you use a secondary browser only for your Java activity), or disable it fully in all your browsers. Information on how to do this can be found below:
Uninstalling Java on Windows 7: http://www.java.com/en/download/uninstall.jsp
Uninstalling Java on Mac: http://osxdaily.com/2012/04/07/tips-secure-mac-from-virus-trojan/
Disabling Java in browsers:
In Firefox, select “Tools” from the main menu, then “Add-ons,” then click the “Disable” button next to any Java plug-ins.
In Safari, click “Safari” in the main menu bar, then “Preferences,” then select the “Security” tab and uncheck the button next to “Enable Java.”
In Chrome, type or copy “Chrome://Plugins” into your browser’s address bar, then click the “Disable” button below any Java plug-ins.
In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.
More information can be found here: http://www.kb.cert.org/vuls/id/625617
Update: Oracle have now released a patch for Java (version 7 update 11), so anyone using Java should immediately update to this version. You can do this by either updating through the Java Update or by going to http://www.java.com/en/download/index.jsp
You should however only install this update if you have need for Java, and those who has should still follow the guidance in our last mail regarding only allowing it for stand-alone-applications and/or multiple browsers.