The next Java update is scheduled for October 16.
"Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face," said Chester Wisniewski, senior security advisor at security vendor Sophos.
In the absence of a fix from Oracle, interim measures include disabling the Java plug-in, but care should be taken to ensure this is done for each browser installed on a particular system.
The US-CERT vulnerability note provides instructions or links to instructions for disabling Java in Chrome, Firefox, Internet Explorer and Safari.
A more radical response is to remove Java entirely unless it is really needed for particular functions.
Another mitigation for Firefox users is to use the NoScript extension to whitelist trusted sites.