Oracle accompanied its fix with another change: The updated version's default security setting is now "high" rather than "medium," so that users will be asked to sign off case by case on many Java activities. Users will be "prompted before any unsigned Java applet or Java Web Start application is run," Oracle said.
Even after Oracle's move, many experts on computer security say Java software remains vulnerable to hackers.
Hacker-response experts at the group CERT, based at Carnegie Mellon University, continue to view Java as high-risk software, even with the new patch installed.
"Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating" to the newly released Java 7 Update 11, a CERT vulnerability notice says. "This will help mitigate other Java vulnerabilities that may be discovered in the future."
A number of independent Web-security analysts are sounding similar notes of caution.
"It’s nice that Oracle fixed this vulnerability so quickly," writes Internet security blogger Brian Krebs. But "it seems malware writers are constantly finding new zero-day vulnerabilities in Java."
A "zero-day" attack is one that exploits a vulnerability that has not been documented before, so defenders have had zero days to develop security patches.
"Most users who have Java installed can get by just fine without it," Mr. Krebs wrote Sunday, as Oracle unveiled its Java update. "If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser ... with Java enabled to browse only the site(s) that require(s) it."