A new vulnerability in all the most recent versions of Java is already being exploited in the wild. It’s being called a critical zero-day bug, meaning that the vulnerability can be exploited right now, before the developers have had a chance to fix it, and that it allows for serious security breaches.

The Ars Technica article linked above points out that several hacking toolkits have already been updated to include exploits specific to this vulnerability.

Our advice on using Java remains the same: if you require Java to be enabled in your web browser, use the available security features to prevent Java from running in any context where it’s not actually necessary. If you only require Java to be available outside of a web browser, disable Java in your web browser. If you don’t need Java at all, disable or remove it completely.

For additional details, see the CERT post. Mozilla has a helpful post about protecting users from this vulnerability.

Update 2013Jan12: Adam Gowdiak has weighed in on this issue. According to Mr. Gowdiak, this new vulnerability is the result of a previous vulnerability being improperly fixed by an earlier patch.

And now, an apology: somehow I missed the release of Java Version 7 Update 10, which apparently became available on December 12, 2012. That version addressed a variety of vulnerabilities and other bugs, and enhanced security in general with new features like the ability to prevent any Java application from running in a web browser.