Security experts generally advise users to disable the Java browser plugin, which was exploited in recent targeted attacks on developers at Facebook, Apple and Microsoft.
Reports of the new Java flaws come as an exploit for a flaw patched in the Java 7 update 13 on February 1 has found its way into automated exploit kits designed for mass infections.
Security researcher Kafiene, who has closely monitored the development of ransomware and popular exploit kits, on Sunday reported the exploit’s arrival in several crime kits.
Another, Popads, included an additional lure of a self-generated fake Microsoft certificate for a malicious Java applet that is designed to trick users into installing a fake Java security update.
The social engineering is “tricky”, Kafiene notes, but the upshot for potential Windows victims is that they need to click “run” in the security warning to become infected.
Link: http://www.cso.com.au/article/454780/new_java_7_security_flaws_emerge_old_one_lands_crime_kits/