Debate over disclosure continues

The quickness with which cybercriminals exploited the vulnerabilities has raised questions about whether researchers' disclosure of the flaws put more computer users at risk than necessary.

Some security vendors knew about the vulnerabilities for weeks, but chose not to make them public because the number of attacks was small. Until the vulnerabilities became widely known, Sophos saw attacks targeted at specific industries, affecting only hundreds of people, Chester Wisniewski, senior security adviser for the vendor, said.

Once the flaws became public, the number of grew to hundreds of millions, given Secunia estimates of a billion computers running Java 7.

The public disclosure of the flaws started when that cybercriminals were exploiting an unpatched Java vulnerability. While the vendor did not provide complete details for the flaw, there was enough information for Joshua Drake, a security researcher from Accuvant, to build a proof of concept of an exploit with the help of Rapid7.