"The people who published all the information drew a roadmap on how to exploit people," Wisniewski said. "That negative outweighs any benefit of us getting a patch out of Oracle a couple of months early."

Oracle is partly to blame for the disclosure because it refuses to work closely with researchers and won't discuss when or if it will release patches, Wisniewski said. "Oracle does not have the best track record of releasing updates in a timely manner, and that makes security researchers more apt to publish these things."

Oracle, which did not respond to a request for comment, had known about the Java 7 flaws since April, , the founder and chief executive of Polish security firm Security Explorations. Gowdiak said he notified Oracle of 19 Java 7 issues, including the two critical flaws.

Attackers are increasingly , because the cross-platform runtime environment is typically on Linux, Windows and Mac computers. Experts have said the risk to users could grow if Oracle doesn't do more to secure the product.