Oracle has updated its widely used Java software framework to fix critical vulnerabilities that criminals were actively exploiting to take full control of end-user computers.

An update here for Java Standard Edition 7 is immune to exploits found on more than 100 websites, security researchers said. Oracle reportedly learned of the bugs more than four months ago, but didn't issue the fixes until Thursday, four days after researchers discovered they were being targeted. Thursday's update was unscheduled. (Oracle also released an update for Standard Edition 6, although initial reports have been that the exploits worked only against SE 7).

Critical bugs are inevitable in any complex piece of software. What has separated Oracle from developers such as Microsoft, Adobe, Google, and Mozilla during this latest episode is the deafening silence the company showed since the world learned of the vulnerabilities. Oracle representatives have declined to respond to press requests for comment. The company didn't acknowledge the attacks until Thursday, when it issued a notice advising users to install the patches immediately.

The vulnerabilities addressed in the update include those designated as CVE-2012-4681. Among those Oracle credited was Adam Gowdiak of Poland-based Security Explorations, who said he alerted Oracle engineers to the vulnerabilities in April. A brief analysis of the patch by the Immunity security firm found that at least two other vulnerabilities are fixed as well. A post on Oracle's security blog said the patch addressed three "distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers." The flaws also included CVE-2012-1682, and CVE-2012-3136.

Among the outfits exploiting the vulnerability in the wild was one dubbed the Nitro Gang. The group, which got its name from a previous attack that targeted chemical companies, is exploiting the vulnerability to install malware known as Poison Ivy (aka Backdoor.Darkmoon) on the computers of unwitting users.

The episode has brought to the fore a piece of advice many security experts have echoed for years: if you don't need Java, uninstall it. Some programs that claim Java is required work almost as well without the Oracle software. Removing it significantly decreases the attack surface hackers have to target.