I’ve personally disabled the Java browser plugin, despite having updated to the latest patch. The thing is, how effective is this at preventing infection?
Also, I’m of the opinion that people should be able to visit dodgy websites if they like. The issue here is not a user doing something stupid like clicking on an executable, but rather a part of the software that is supposed to be secure failing in its task.
As they say, it takes two to tango - the JRE browser plug in is a huge security risk, but unfortunately the browser security net isn’t tight enough to catch things falling through the holes, and nor is the OS because the JRE effectively runs with administrative permissions.
The JRE should only ever have been allowed to run with the credentials of a restricted user account. This goes for Mac OS and Linux as well, but sadly I believe on all 3 desktop OSes the JRE has “root”. Duh. Unbelievable really but there we go. Everyone involved in the toolchain is to blame for spectacular shortsightedness.
Cas 
It just gets better.
Agreed. I was under the impression that the JVM was quite limited when it comes to System interaction. Sad to be wrong on this one.
And JaGeX I’m think trying move from Java. JaGeX writing RuneScape graphics engine that runs on HTML5.
Now that is daft. But then they are a surprisingly daft company.
Cas
HTML5… you mean that thing that takes all those ideas from the Netscape/IE6 era and builds a “standard” API around them? As bad as all the plug ins creators are in terms of security, I almost feel bad for them. They don’t get the plausible deniability that comes with adopting meaningless terms to describe their products, even if just a few tightly connected companies are the ones trying to force feature creep in web browsers. When Flash, Java, or Windows go unpatched for a week it’s bad and bloggers know what brands to blame, but when a web browser supports ridiculous features that only serve to help virus writers and advertising companies it’s touted as innovation and gets invariably good press. It doesn’t matter if it’s unpatched for 6 weeks or 6 years. And it doesn’t matter if it’s insecure by design. It only matters if the problem is fairly invisible and can be patched through public relations instead of software changes.