US-CERT is warning of a recently discovered vulnerability in Oracle Java Runtime Environment (JRE) 1.7 (Java 7) that can be exploited to run arbitrary code.
According to the vulnerability note, "an untrusted Java applet can escalate its privileges... without requiring code signing."
"This vulnerability is being actively exploited in the wild, and exploit code is publicly available," warned US-CERT.
The vulnerability appears to affect Java 7 regardless of the operating system or browser; Windows, Mac OS X and Linux versions of Java 7 are known to be vulnerable.
The vulnerability has initially been used to deliver Windows malware, but that could easily change as Java vulnerabilities have been used in most recent Mac malware attacks.
The vulnerability is specific to Java 7 - earlier versions are not affected.
Page 2: upgrade schedule and mitigations