Java continues to be plagued by critical security flaws that are actively exploited by attackers despite Oracle's patches, according to prominent information security analysts.
Security researcher and blogger Brian Krebs has discovered that the administrator of a crimeware forum was selling a new Java zero-day explot to two "seriously interested buyers" for US$5,000 (A$4,735) per sale.
The administrator wrote that the code had already been sold once and was not included in any known exploit pack, and said he was open to higher counter bids.
Krebs notes that the thread with the offer had since been deleted and believes a second buyer had been found for the exploit.
According to Krebs, the thread in the crimeware forum "should dispel any illusion that people may harbour about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program."
Security experts are recommending that users either disable Java in their web browsers, or remove the software completely, in light of several recent security flaws that let attackers take control over computers unnoticed.
The frequently occuring security flaws in Java has made it popular with attackers, who are selling and renting out exploit kits. Security firm Kaspersky says Java flaws are behind half of all computer compromises, compared to 28 percent for Adobe Reader.
Oracle broke its usual three-monthly patch cycle and rushed out a fix for the latest exploit. However, experts say the patch issued by Oracle is incomplete and that users are still at risk.