It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.
Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.
And this about Macs in particular:
Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is “Maybe.” The version officially distributed by Apple is Java 6, which is not vulnerable.
Interesting that an older version is not vulnerable to this particular zero day exploit. But if users of Lion and Mountain Lion have installed Java 7 directly from Oracle’s Java.com site (which is the only way to even get Java on Lion and Mountain Lion), then they are vulnerable.
And of course, Windows and Linux/UNIX/BSD are all vulnerable as well if Java 7 has been installed.
Soon Twitter users were tweeting that Mac users were being attacked, but that the malware apparently on the blackhole server is serving Windows malware. Gives Mac users a reprieve to get their Java updated … if they installed it at all.
What is really sad is that Oracle was made aware of this vulnerability back in April and didn’t fix it in a timely manner.
Thankfully Firefox and Google Chrome will disable or at least not automatically run Java if it’s outdated. Other browsers (Internet Explorer, Opera, etc.) should be doing the same thing.