Update (1/13): Three days after a critical Java vulnarability was widely reported, Oracle has issued an update to shut down the potential exploit and secure browsers using Java. You can update to Java SE 7u11 to secure your PC (or disable Java altogether). The security hole made browsers vulnerable to remote exploits when visiting a malicious website. With this latest update Oracle claims it's reducing future risks by switching security settings to "high" by default, meaning that unsigned or self-signed applets won't be run without express user authorization.

Original story is below:

Yet another zero-day vulnerability in Java has reared its ugly head, and according to security researchers, early indications suggest it is already being 'widely exploited' by malicious sites.

A researcher going by the name @kafeine first spotted the exploit in action and noted it's being used by a number of sites to silently install malware in drive-by download attacks. According to reports, one particular group is even using the exploit to install ransomware on affected PCs.

Kafeine notified security firm AlienVault labs, which has independently verified that the exploit exists. What's more, it's already been added to a number of exploit toolkits such as Blackhole and Nuclear Pack, making it easy for criminals to deploy. The exploit is specific to Java 7 and there is no fix for it at the moment, although Oracle says it's working on it. There's still no word on how long it's going to take.

Right now the only way to protect your machine against this exploit is disabling the Java browser plugin. Others, including US-CERT (United States Computer Emergency Readiness Team) have given the same advice, or recommended the more drastic measure of uninstalling Java entirely.