Page 2 of 2
It has been noted that this zero-day attack impacts Java 7, but not Java 6. Nonetheless, Websense's Astacio recommends against substituting version 7 with version 6 because version 6 has vulnerabilities of its own. "The best advice is to either disable Java 7 or remove it altogether until the appropriate patches available," he said. "This is especially critical for enterprises that have mobile users in BYOD scenarios where the user might get their own device infected and then bring it back to the enterprise."
Astacio added that Java 7 is relatively straightforward to disable, based on a variety of instructions available on the Internet. He also recommends that most people delete the application altogether.
"Unless you actually need Java, you might choose to remove it from your system because of the history of exploits that have come out through it," he said. "Java is well known as a major attack vector for exploit kits. But if you absolutely do not need it, you're better off removing it altogether. Most consumer type websites do not require it, but there are some application's internal to enterprises that may require it."
Oracle's next regularly scheduled security download is not anticipated until October, but many speculate that an emergency patch will be issued. At this time, however, there's been no indication of any such plans. A third-party organization, DeepEnd Research, is offering a patch promised to close the vulnerabilities. That patch is reportedly available upon request from that organization.