The critical Java vulnerability that is currently under attack was made possible by an incomplete patch Oracle developers issued last year to fix an earlier security bug, a researcher said.

The revelation, made Friday by Adam Gowdiak of Poland-based Security Explorations, is the latest black eye for Oracle's Java software framework which is installed on more than 1 billion PCs, smartphones, and other devices. Last year saw a steady stream of attacks that exploited Java vulnerabilities, allowing miscreants to surreptitiously install keyloggers and other malicious software when unwitting people browsed compromised websites. The abuse has already continued into 2013, when on Thursday researchers reported yet another critical bug that is being "massively exploited in the wild".

According to Gowdiak, the latest vulnerability is a holdover from a bug (referred to here as Issue 32) that Security Explorations researchers reported to Oracle in late August. Oracle released a patch for the issue in October but it was incomplete, he said in an e-mail to Ars that was later published to the Bugtraq mailing list.

"Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted," Gowdiak wrote. "It looks like Oracle either stopped the picking too early or they are still deep in the woods."

Update: Asked for comment on Gowdiak's comments, an Oracle spokeswoman e-mailed the following statement: "Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices. A fix will be available shortly."

Exploits of the latest Java vulnerability, which were first observed more than a month ago, are the combination of two bugs. The first involves the Class.forName() method and allows the loading of arbitrary (restricted) classes. The second bug relies on the invokeWithArguments method call and was also a problem with Issue 32 that Oracle purportedly patched in October.

"However, it turns out that the fix was not complete as one can still abuse invokeWithArguments method to setup calls to invokeExact method with a trusted system class as a target method caller," Gowdiak wrote. "This time the call is however done to methods of new Reflection API (from java.lang.invoke.* package), of which many rely on security checks conducted against the caller of the target method."

Developers of the Metasploit framework for hackers and penetration testers have released a module that should exploit the vulnerability on machines running Windows, Apple OS X, and Linux regardless of the browser they're using. The US-CERT, which is affiliated with the Department of Homeland Security, is advising people to disable Java in Web browsers.

Post updated to add Bugtraq link, details about Metasploit module, and Oracle comment.