"Without going into further details, everything indicates that the ball is in Oracle's court. Again," said Gowdiak.
Not surprisingly, other security experts today again urged users to disable or even uninstall Java.
"Here's the best piece of advice we can give you right now: If you don't need Java enabled in your browser...turn it off now," said Graham Cluley, a senior technology consultant at Sophos, in a post to his company's blog. "Many people who have Java enabled in their browser simply do not need it, so the best solution for many folks is to rip Java out of their browser entirely."
Security professionals have long called on Oracle to step up its Java security game, but the wave of zero-days has triggered more aggressive advice, including reworking Java from the ground up.
For its part, Oracle has pledged to accelerate patching, but so far has committed to adding only one additional patch day to 2013's every-four-month schedule.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.