A new zero-day vulnerability has been discovered in all currently-supported versions of Oracle's Java software, potentially allowing attackers to install malware on around 1 billion Macs and PCs. Announced on the Full Disclosure mailing list by security researcher Adam Gowdiak yesterday, the bug is present in Java 5, Java 6, and Java 7 — as Computerworld points out, it is particularly significant for users of versions of Mac OS X up to and including Snow Leopard 10.6, which come bundled with the software. The 1 billion figure is taken from installation statistics provided by Oracle.
Technical details of the vulnerability have not been publicly disclosed, and Gowdiak emphasizes that he has handed all details, including the source code for a proof of concept exploit, over to Oracle for analysis. While the company has reportedly confirmed plans to release a patch for the issue, it has not released timing details, and it is not yet clear whether the patch will emerge earlier than Java's next regular update on October 16th. When a similar zero-day vulnerability began to be exploited by hackers last month, Oracle released an emergency "out-of-band" update to ensure that users were protected.