In general, security researchers do not reveal unexploited vulnerabilities until after notifying the software vendor and giving it time to fix them. "Once its out in the wild, the cat's out of the bag at that point," Beardsley said.
Wisniewski was not comfortable with Rapid7's handling of the disclosure, saying, "I'm really torn." Because the number of hacker-devised exploits is so widespread now, many more people will be vulnerable. Rapid7's own estimates are that roughly a third of Java users fail to remain up to date on patches.
"The people who published all the information drew a roadmap on how to exploit people," Wisniewski said. "That negative outweighs any benefit of us getting a patch out of Oracle a couple of months early."
Oracle is partly to blame for the disclosure because it refuses to work closely with researchers and won't discuss when or if it will release patches, Wisniewski said. "Oracle does not have the best track record of releasing updates in a timely manner, and that makes security researchers more apt to publish these things."
Oracle, which did not respond to a request for comment, had known about the Java 7 flaws since April, according to Adam Gowdiak, the founder and chief executive of Polish security firm Security Explorations. Gowdiak said he notified Oracle of 19 Java 7 issues, including the two critical flaws.
Attackers are increasingly targeting Java vulnerabilities, because the cross-platform runtime environment is typically on Linux, Windows and Mac computers. Experts have said the risk to users could grow if Oracle doesn't do more to secure the product.
Sign up for CIO Asia eNewsletters.