Oracle released the statement late Friday following a U.S. Department of Homeland Security recommendation that all Java 7 users disable or uninstall the software until a patch was issued, reports Reuters. Taking action on its own, Apple quietly disabled the plugin through its OS X anti-malware system shortly after hearing of the exploit.
A timeline as to when the fix will be pushed out is unknown as Oracle offered only a vague answer saying, "A fix will be available shortly."
The U.S. Department of Homeland Security said that Java's most-recent vulnerability is being "attacked in the wild, and is reported to be incorporated into exploit kits."
For its part, Oracle noted in its statement that the flaw only affects the most up-to-date version of Java 7 and Java software designed to run in Internet browsers.
Java and Apple have had a rocky relationship over the past few years, including a move to drop the Java runtime from OS X 10.7 Lion's default installation when the OS debuted in 2010. Another flaw in Oracle's internet plugin was responsible for the most widespread Mac malware ever when the "Flashback" trojan reportedly affected some 600,000 OS X machines in April 2012.
Apple continued efforts to deprecate Java from OS X over the past year, culminating in the company's final official in-house Java update issued in May 2012. From that point, all responsibility for future updates was handed over to Oracle.
Update: Oracle on Sunday released a fix to a Java 7 flaw discovered on Friday. Users can download the release here.
From the release notes:
The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.