A piece by Marian Radu on Microsoft’s Technet Blog is warning that users who have failed to update the Java Runtime Environment (JRE) on their machines are vulnerable to drive-by downloads by a Trojan called Unruy. That Trojan has been associated with rogue security products. Radu said the vulnerability (which was patched in March) is being actively exploited.
Browsers running JRE versions up to version 6 update 18 are vulnerable. The current JRE version today is version 6, update 21.
Microsoft Technet blog piece here: “Unruy downloader uses CVE-2010-0094 Java vulnerability”
Users can easily check their version of Java and download necessary updates here: http://www.java.com/en/download/manual.jsp