Chou urged users to be cautious while browsing potentially-risky sites, although that may be difficult: Exploits are often hosted on legitimate websites that have been compromised by hackers.
Java has been increasingly targeted by attackers, in part because it's a cross-platform technology that can be exploited not only on Windows PCs, but also on Macs. According to the Russian antivirus vendor Kaspersky, more than half of all attacks in the third quarter of 2012 leveraged Java vulnerabilities. Microsoft said much the same more than a year ago.
Other companies' software has been similarly targeted in the past, notably Adobe's Reader, a factor in that firm's increased attention to security over the last few years. Oracle may need to do the same to prove that Java is secure enough to use.
"This is a wake-up call for [Oracle]," said Gowdiak, when asked whether the US-CERT recommendation had long-term implications for Java's survival and continued use.
"This isn't the demise of Java," cautioned Chou. "It won't be going away anytime soon, especially on the server side and for desktop applications. I have no idea if Oracle will be able to move Java onto a more secure path. [But] it takes time, even when the organization is serious."
Other security pros, though, were ready to give up on Java. In a tweet last week, Andrew Storms, director of security operations at nCircle Security, simply said, "Just uninstall Java."
Sign up for Computerworld eNewsletters.