<p>Java 7 users: Have you updated to the latest version of the software, released last week by Oracle?</p><p>Anyone who isn't using Java 7 update 21, released last Tuesday, is at risk of being exploited via active attacks that target one or more Java browser plug-in vulnerabilities patched by Oracle. More Security InsightsWebcasts More &gt;&gt;White Papers More &gt;&gt;Reports More &gt;&gt;</p><p>Related attacks began Sunday, according to a brief research note published by security firm F-Secure. That's just five days after Oracle released the update, which included fixes for 42 vulnerabilities -- 39 of which could be remotely exploited without authentication -- as well as a new malicious Java application warning system.</p><p>One of the patched vulnerabilities (CVE-2013-2423) could be used to disable the Java security manager and run arbitrary code outside of the Java sandbox, according to Jeroen Frijters, the lead developer of the IKVM.NET project -- which maintains a Java virtual machine implemented in .NET. Frijters advertises himself as an "accidental security researcher."</p><p><a href="http://www.informationweek.com/security/application-security/java-flaw-targeted-by-crimeware-toolkit/240153530">Keep reading...</a></p>