Researchers said they've uncovered a flaw in the Java 7 update released by Oracle on Thursday that allows attackers to take complete control of end-user computers.

The flaw in Java 7 Update 7, which Oracle released to stop in-the-wild attacks that silently install malware on end-user machines, is the latest black eye for the security of the widely used software framework. It comes after revelations that Oracle learned of the vulnerabilities under attack in April, four months before the exploits were detected. Oracle has yet to explain the delay in fixing the bugs.

The latest bug "facilitates full Java sandbox bypass on latest Java 7 Update 7," Adam Gowdiak, the CEO of Poland-based Security Explorations, wrote in an e-mail to Ars. His team developed proof-of-concept code and delivered it on Friday to Oracle engineers. The discovery of the new critical bug was reported earlier by IDG News. There are no reports that it is being exploited online.

"The total hunt took about 2-3 hours," Gowdiak wrote. "It was done yesterday in the evening. The discovery was made [as] a result of a manual analysis of Java code (its implementation)."

Gowdiak declined to discuss technical details out of concern that they may make it easier for criminals to exploit the flaw in e-mail- or Web-based attacks. He said the discovery came "while trying to fix the proof-of-concept codes that stopped working after applying the recent Java patch."

An Oracle spokeswoman responding to a request for comment referred Ars to this advisory, which was published with Thursday's update. She and other representatives didn't respond to a follow-up e-mail informing her that the advisory was published before the most recent vulnerability was discovered.

This week's attack, and Oracle's lack of public response to them, has renewed calls by many—this reporter included—to remove Java from computers that don't use the cross-platform framework. Many programs that claim Java is required work fine, or almost as well, without the Oracle software, as confirmed by at least two Ars readers on Thursday. Even when it's mandatory for programs such as Adobe Photoshop, as one Mac-using Ars reader reported, users may want to remove Java plugins from their browsers if the websites they regularly visit don't require it. The removal advice has proved controversial to some, so Ars readers are encouraged to decide for themselves. (Oracle's official Twitter account for Java has also disagreed with the advice.)

Two of some 19 bugs that Gowdiak's firm reported in April were among those combined in the latest proof-of-concept attack to completely bypass the security sandbox Java relies on to ensure untrusted code can't access sensitive operating-system functions. Some of the remaining holes still haven't been plugged, and when linked to the latest discovered flaw, attackers could once again have the ability to escape the safety perimeter.

Said Gowdiak: "When combined with some of the April 2012 issues, the new issue allows [one] to achieve a complete [Java virtual machine] sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on August 30, 2012)."