Despite Oracle's recent Java security patch, hackers found a way into the programme and conducted email phishing campaigns directed at Microsoft and Amazon users.
Researchers at the SANS Institute's Internal Storm Center (ISC) and security firm Websense issued separate reports about the vulnerability, which became public late last month.
ISC focused on fake Microsoft Services Agreement emails that claimed to contain information about "Important Changes to Microsoft Services Agreement and Communication Preferences." The phishing email copied a legitimate, 27 August email from the Redmond-based firm, but replaced one of the hyperlinks with a virus.
Meanwhile, hackers used illegitimate "Amazon order" emails to deliver malicious links intended to access personal and financial data, according to Websense. On 1 September, the security site intercepted more than 10,000 emails with the subject "You Order With Amazon.com," which urged recipients to click on a hyperlink that sent the victim to a Blackhole exploit kit hacking tool.
"This email campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users," Websense said.
Oracle released an out-of-band fix last week, but didn't patch the hole entirely. Polish company Security Explorations said Friday that the update contains a bug that allows hackers to bypass and exploit the system. Security Explorations alerted Oracle to the problem on Friday.
Based on Oracle's four-month update cycle, which rolls around again on 16 October, a full fix could be on its way next month. In the meantime, some analysts have suggested disabling Java altogether.
Earlier this year, the Flashback Trojan infected more than 550,000 Macs when websites exploited the Java flaw that allows Flashback.K to download itself onto Apple computers without warning.
A further Java flaw, the Atomic Reference Array vulnerability, is thought to have enabled the alleged Anonymous breach of an FBI agent's laptop, which resulted in a reported payload of some 12 million Apple UDIDs.