Users can also opt to keep Java on their computer but disable it within the Web browser, which is how the latest vulnerabilities exposed users to attack.
The two vulnerabilities patched by Oracle on Sunday both could be exploited by a malicious "applet," a Java application that's downloaded from another server and runs if a user has Java installed. Applets are often embedded in Web pages and run in the browser.
Security reporter Brian Krebs wrote on Wednesday that a zero-day Java exploit for an apparently brand-new vulnerability was being advertised for $5,000 in an underground hacking forum. The advertisement was posted for a short time, then disappeared, Krebs wrote.
Oracle officials did not respond to an email request for comment.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk