With versions of Firefox that I use on my Centos 5.8 and Centos 6.3 Linux systems, the Java plugin was not supplied.
If you get the plugin (part of JRE from from Oracle) and go to activate it there are several manual steps. You have to really
When you finally get it set up you are presented with a warning message from Firefox. Here's part of the message from Firefox 10.0.11:
Java Plugin has been blocked for your protection.
Who is affected?
All Firefox users who have installed the Java plugin, JRE versions below 1.6.0_33 or between 1.7.0 and 1.7.0_4.
After all of this, if you really
want to activate it so that you can run Java applets from your favorite web site, you can, but you can't say you haven't been warned.
It has been suggested that a useful browser feature might be an "opt-in" option on a site-by-site basis for browsers so that if you want to use an applet from a trusted site you might be able to. (You can presently set up an "opt-in" option for all cookies. It asks you whether you want to accept cookies when a site wants to set one.)
Even if this were available for Java plugins, I note that you still would have to be on guard for malware that can stash itself in your system and cause redirection from the web site that you think you are accessing to one of the blackhat guys. Remember the infamous Windows rootkit exploit? Particularly nasty since it exploited a security feature at the very bottom of the operating system and hidden from just about all "normal" programs. This thing is still floating around, but now there are ways of detecting and preventing it. Most of the time. ( I suspect that if any of the bad guys are successful in infecting your computer this way, they would have something mind more "interesting" than playing havoc with java applets.)
There have been lots of Java browser plugin security flaws reported over the years (I seem to remember one last July or August), but actual attacks have not been widely documented. This latest warning comes, apparently, from real exploits that are now loose in the wild. Warning from U.S. Homeland Security? That's a new one (I think).
I'm thinking that there have been security flaws for just about every program (major or minor) in widespread use, not just the Java plugins for browsers. I mean, I get security updates for various Linux application programs at a rate of several a week, but there are rarely any actual exploits.
Anyhow, I can't say how widespread any exploits of the latest Java plugin bug really are, but...
You can't say that you haven't been warned. (But I said that already.)
Bottom line: Eternal vigilance is not only the price of freedom. It is also the price of security. (To the extent that security is attainable.)