However, Java-based attacks are still rare, and rather than developing a brand-new type of attack, criminals are more likely to spend their time using known vectors such as the browser or Adobe Reader, said Russ Cooper, a senior information security analyst with Verizon Business.

"Java has not been exploited to any extent that should worry the average consumer, heck, or business for that matter," he said via instant message.

The flaw affects "all versions since Java SE 6 update 10 for Microsoft Windows," Ormandy said. Linux users may also be affected, Symantec said in a on the issue.