The malware is a new variant of the Flashback, a password-stealing trojan. The latest strain takes advantage of a flaw in Java -- CVE-2012-0507, according to F-Secure -- which was patched by Oracle in February. But Apple has yet to push the update to its Mac OS X platform.
As users await a patch, an F-Secure threat researcher who goes by "Brod" suggested on Monday that they disable Java in their browsers to avoid falling victim to the exploit, which is being delivered via malicious web pages.
"So if you haven't already disabled your Java client, please do so before this thing really becomes an outbreak," Brod wrote.
An Apple spokesperson did not return an email seeking comment.