Let's face it
Java, Adobe Reader, Adobe Flash are all ubiquitous and are good choices for attack vectors. Even easier than Windows as they tend not to get updated.
Oracle has released a cross-platform update for Java that addresses 17 vulnerabilities in the ubiquitous software platform. All 17 vulnerabilities might be abused to inject code into vulnerable systems, and all but one affect how Java Runtime Environment client software runs in browsers. Java 6 update 26 for Windows, Linux …
...actually use Java in a browser any more?
Sadly yes, for some crappy web sites that either don't work, or are a major pain otherwise. Examples include:
Facebook's photo uploader, either hand selecting 5 images at a time, or allowing them to access your machine via a Java thing to allow all files in a directory, etc, to be selected. No way on my PC!
One of the genealogy web sites my father uses is so crap a design that your choice is to use IE & ActiveX enabled, or a Java viewer (which, last time I looked at his PC, is also out of date and leaves an ever-increasing tree of cache directories):
http://www.scotlandspeople.gov.uk/Content/FAQs/Questions/index.aspx?206
The Devil & deep blue sea as far as security is concerned! For him I set up Linux & Java as the least-worst option for this.
This PC has always had the Java VM running on it, and I'd always assumed that something-or-other other used it. From this article and from remarks here and elsewhere, I can see that it isn't, so I just uninstalled it. Hopefully it will improve my boot time a tad, too.
One of the voices in my head said "we might want to develop something in Java one day", but the other voices all just looked at it, until it said "I'll get my coat".
You need JDK and even if you install it, there is a little (almost no) need to enable java applets in browsers.
Vm isn't the problem, browser applets automatic running is the problem.
Also you won't get a speed up on booting if you remove java, it isn't resident except 700KB java update checker. They should have used windows built in scheduling like Apple software update btw.
Successful, secure apps are always "real" stuff,for example Vuze, not java applets. Applets have very stupid restrictions anyway.
Tell that to Thomson Reuters, who have several successful (i.e. popular and profitable), secure applications for trading FX and other instruments, all delivered as Java applets and Java Web Start. The users are tier 3 institutions, rather than full-time traders, because the Internet introduces latencies that are unacceptable for the latter, but they still trade billions of dollars.
Before working on these applications I too thought applets were just annoying gadgets embedded in web pages. To my surprise I discovered that an applet can be a good way to deliver a large, complex application to the desktop. No need for distribution media or download instructions. No requirement to get authorisation for a desktop installation - in companies that have outsourced their IT infrastructure this can take months.
This is something I wish I'd known before I spent a year rewriting a Java Swing program as a web application.