The latest Java zero-day vulnerability is already available to users of the Metasploit tool and Blackhole exploit kit, say security researchers.
The Java vulnerability allows attackers to use a custom web page to force systems to download and run malware that does not have to be coded in Java.
Researchers at security company FireEye said they had seen the unpatched exploit used in limited targeted attacks.
They said in a blog post that most of the recent Java run-time environments from JRE 1.7 onwards are vulnerable.
DeepEnd Research said attacks using the vulnerability are likely to increase, as it is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails.
The inclusion of the vulnerability in Metasploit and Blackhole will only accelerate this. Symantec researchers report they have already spotting two websites created to exploit the flaw.
Since the discovery of the vulnerability, there has been much speculation about whether Java custodian Oracle will consider the vulnerability serious enough to release an out-of-cycle security patch.
If Oracle were to wait until its next scheduled patch release, JRE users will be at the mercy of exploits of the vulnerability until 16 October.
Although there has been no official word from Oracle, researchers from Security Explorations have told Softpedia that Oracle is already working on a patch.
Security Explorations reported the issue to Oracle in April 2012 and a recent status report shows that it has been addressed, according to the security company’s chief executive Adam Gowdiak.
DeepEnd Research has developed an interim patch for systems administrators, but has advised users to simply disable Java in their browsers until an official patch is available.
DeepEnd advised against downgrading to earlier versions of Java because of the many other vulnerabilities in the older versions.