Security researchers have confirmed that the latest version of Oracle's Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users' computers.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," Adam Gowdiak, CEO of Poland-based Security Explorations, wrote in an advisory posted Friday to the Full Disclosure mailing list. "As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."

Gowdiak's advisory comes a few days after researchers from security firms Trend Micro and Immunity Inc. independently reported the emergency patch Oracle released on Sunday was incomplete. While attacks actively waged online last week exploited two vulnerabilities in the an older version to surreptitiously install malware on computers that browsed to malicious websites, Java 7 Update 11 fixed only one of them, those researchers said. On Wednesday, KrebsOnSecurity reported exploit code for that version was being sold in underground Internet forums.

In an e-mail, Gowdiak told Ars that his exploits aren't able to bypass a security protection added to Sunday's Update 11 that prevents unsigned or self-signed Java applets from running in a browser unless the end-user clicks an OK button. He said his attack would still work if attackers are able to use social engineering techniques to trick users into allowing the applet. Attackers likely could also circumvent the protection by using a stolen valid certificate.

As Ars has advised in the past, readers who have no use for Java should consider removing program plug-ins from their browsers, or uninstalling Java altogether from their computer. Those who rely on Java can also enable a plug-in in a browser dedicated for that purpose and use a separate browser for all other websites. Java 6, which Oracle is still supporting for the time being, hasn't been vulnerable to most of the recent exploits, although security experts remain mixed on whether it is a more secure alternative to Java 7. Gowdiak said one of the vulnerabilities Security Explorations discovered this week works on both versions while the other works only on Java 7.

Representatives from Oracle didn't immediately respond to an e-mail seeking comment for this article.

Story updated to include details in second to last paragraph about which versions of Java are vulnerable to latest exploits.