The US Computer Emergency Readiness Team (US-CERT) has announced that there is a Java zero-day vulnerability that is being exploited at this very moment. At the moment, the only thing that can be done to protect any machine is to disable the plugin on your browser(s) of choice.
US-CERT has also issued the following vulnerability note:
Overview – Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description – Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
Impact – By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
The flaw was first discovered by a French researcher who posted that the vulnerability was being exploited on a site that received “hundreds of thousands of hits daily” and that “this could be mayhem.” He went on to note that the exploited had been added to various Web threat tools that are used by hackers to distribute malware. This has also been confirmed by BitDefender and security expert Brian Krebs.
Again, it is recommended that unless you ABSOLUTELY have to use Java, please disable it in any browsers that you use. You can find instructions here on how to disable them on multiple browsers.