Every currently supported version of Java is vulnerable to a new exploit, according to Adam Gowdiak, a security expert who is known for finding Java exploits. That could include up to a billion computers, according to Oracle's instillation statistics.
Gowdiak has sent the source code of the vulnerability, which can be used to install malware on a user's computer, to Oracle for analysis. He has assisted in getting Java exploits closed in the past, though Oracle's record of getting them all fixed in time is mixed, according to ComputerWorld:
Gowdiak has found other Java vulnerabilities in the past: Earlier this year he reported more than a dozen to Oracle. Months later, hackers independently uncovered one of the bugs, then began using it in widespread attacks during August.
On Aug. 30 Oracle shipped one of its rare emergency, or "out-of-band," security updates to patch the exploited Java bug.
This bug appears to be more serious, and looks like it affects far more users, including every single Mac running Snow Leopard or earlier, since Java came bundled in OS X in those versions. Hopefully Oracle pushes a patch soon, but until then, it's just one more thing to worry about. [Full Disclosure via ComputerWorld via Verge]