The vulnerability allows computers to be infected by simply visiting a specially crafted web page, and the malware served in the current attacks contacts a C&C server in Singapore.
The attacks are limited, but it's only a matter of time until other cyber criminals create their own pages exploiting the flaw.
In the meantime, a module that takes advantage of it has already been added to the Metasploit Framework, and it works against a fully patched Windows 7 SP1 with Java 7 Update 6, Mozilla Firefox on Ubuntu Linux 10.04, Internet Explorer / Mozilla Firefox / Chrome on Windows XP, Internet Explorer / Mozilla Firefox on Windows Vista and Windows 7, and Safari on OS X 10.7.4.
Researchers from heise Security have also created a PoC page using information that is publicly available.
Oracle is yet to comment on the news, and to say whether it will break its scheduled quarterly patch cycle to issue a patch for the flaw.
In the meantime, users are advised either to disable or remove Java for the time being - or for good.
If you're a Windows user and you have decided to disable Java, go to your Control Panel, select "Java", and once the "Java Runtime Environment Settings" dialog box appears, select "Java" once again and uncheck the "Enabled" check box. Needless to say, if in the future you need to use Java again, go through the same steps and check the aforementioned check box.
To completely remove Java from your system, go to the Control Panel > Programs > Programs and Features, find Java, select it and press the "Uninstall" button.
Another option is to remove the Java plugin from the browser.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.