Via Kaspersky and a bunch of other sources:
Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.
If you don’t recognize those names, they’re crimeware kits that allow bad guys to booby-trap web sites, which they then lure unsuspecting victims to visit using e-mail messages or poisoned seaarch results. As soon as you load the site in your browser, the exploit runs and you are compromised.
At the moment, there’s no fix for the specific exploit, although up-to-date antivirus software will usually block the exploit from the sites.
Instructions on how to disable the Java plugin are here. And yes, this can affect Macs as well as Windows PCs, so don’t assume you’re immune because you have a Mac.
If you have specific sites that require a Java-based plugin, consider using Chrome’s ability to block the Java plugin globally while selectively enabling Java for specific sites. Details here.
Other possible strategies:
- Disable Java in your default browser but enable it in a secondary browser. When you need to use Java, fire up the alternate browser and navigate to the Java-based app manually.
- Install Java in a virtual machine and install Java in that sandboxed installation. Although it sounds inconvenient, cleaning up a malware infection is worse.
Additional reading: How big a security risk is Java? Can you really quit using it?