"Software vendors have a responsibility to provide secure code of a certain quality, and vendors of widely deployed software like Flash Player or Java simply have no excuse," Eiram said. "Adobe realized this and have made a serious and successful effort to improve their code. Microsoft did the same many years ago. It's time for Oracle to follow in those footsteps."
There are indications that Oracle's developers are unaware of Java's security pitfalls and that code security reviews are either not done at all or not comprehensive enough, Gowdiak said. Many of the issues identified by Security Explorations violate Oracle's own secure coding guidelines for Java, he said.
"We found many flaws which should have been eliminated by the company at the time of a comprehensive security review of the platform prior to its release," Gowdiak said.
Oracle should implement a solid Secure Development Lifecycle for Java to weed out basic vulnerabilities and increase the code's maturity, Eiram said. An SDL is a software development process that emphasizes code security reviews and secure development practices to reduce vulnerabilities.
The best approach would be to ensure developers are properly trained by holding internal training sessions, as Microsoft did, and to review the existing code with help from external auditors, Eiram said. "Oracle might as well contract some of the skilled researchers who are looking at their code anyway."
Oracle has said it would accelerate the patching cycle for Java from 4 months to 2 months and promised to communicate better about Java security issues with all audiences, including consumers, IT professionals, the press and security researchers. The long intervals between Java security updates and Oracle's lack of communication on security have long been criticized.
"It will be interesting to see if they will honor their promise of communicating better with the public and press. In the past, they have -- in my opinion -- been downright arrogant and refused to comment on reported vulnerabilities, and even their validity," Eiram said.
The policy of not commenting on security issues, which Oracle said was necessary to protect users, resulted in users not knowing if externally reported threats were real or what Oracle was doing about them, he said. "This approach to security and responsiveness belongs in the previous millennium."
Security experts don't expect Oracle to solve all the problems in the near future in a way that will deter determined attackers.
"I do not foresee Java's security problems ending any time soon," Eiram said. "It took both Microsoft and Adobe a while to turn the boat around, and their products are still subject to zero-day [exploits] now and then. Java has a lot to offer attackers, so I expect them to keep their focus on it for now."
"I would not expect solutions any time soon," Kandek said. "IT administrators should invest their time in understanding where they need Java on the desktop and where they can restrict it."
Security experts agree that Java should be disabled where it's not needed, at least at the browser level. Many users don't even know they have Java installed on their computers. That's probably why Google and Mozilla chose to restrict the Java plug-in in Chrome and Firefox, Raiu said.
Apple has also blacklisted vulnerable versions of the Java plug-in on Mac OS X, and Windows has a registry setting that can limit Java use in Internet Explorer to trusted websites.