The folks at Oracle have released updates for Java, versions 1.7.0_07 and 1.6.0_3.

Oracle strongly recommends that all Java SE 7 users upgrade to this release.

You can download the installers from here.

Researchers who’ve been investigating the exploit for the new Java CVE-1012-4681 vulnerability found that there were actually two previously unknown security bugs in Java 7 and that the exploit has been traced back to attackers in China. News of the Java vulnerability started to circulate on Sunday and researchers have spent the last several days looking at the bug as well as the exploit code. What they found is that there were in fact two distinct zero day vulnerabilities in the latest version of Java and that the new exploit uses them both.

“There are 2 different zero-day vulnerabilities used in this exploit: one is used to obtain a reference to the sun.awt.SunToolkitclass and the other is used to invoke the public getField method on that class. The exploit is making use of the java.beans.Expression which is a java.beans.Statement subclass. There are 2 Expression instances that are used to trigger these 2 different bugs.”

Exploits for the new bugs have already made their way into the BlackHole exploit kit. BlackHole is one of the more popular exploit packs in use by malicious hackers/criminals and is easily available on the underground internet market.