right...
So you're saying that exploits, malware and viruses that can enter a system where Java (or at least the JRE) as a vector are not important.
Because you told them to run? you gave the program the ability to run.
well surely by the same logic no viruses are problems then, if you hadn't used that OS, or if you hadn't clicked that file...?
The point is that Java does open new vectors for attack simply because it adds new methods for running code which should run in a reliable way, (or does run in a reliable way) at the OS layer, but in the abstraction layer that the runtime is adding nefarious things are happening. -i.e there is no way for the OS to adequately see that some kind of exploit is attempted.
one product and soooooo many security problems.
have a look at the update history.
Java version history - Wikipedia, the free encyclopedia
Java SE 7 Update 13 2013-02-01 50 security fixes
Fifty!!!
but then less than three weeks after that
Java SE 7 Update 15 2013-02-19 5 Security Fixes
another five
a fortnight later another couple of security holes.
I understand that things can change in what may be executed in code, but I doubt that IBM rolled out worldwide a piece of hardware containing a processor running code to be interoperated by the JRE that was a bit sloppy doing things it shouldn't have.
how do you define the ways you should use something? if something is good code, and it works, BUT using a feature in a slightly different way is a bug or can lead to an exploit, then Sun's fix was just to rip out the feature, and to hell with a million of so integrated hardware devices deployed over the world. -they will have to use the old buggy version that we know if full of security holes!
as for the scare mongering, the update can leave older versions, (not only is this a pain because it leaves insecure and exploitable software on the system, it also uses up a fair whack of disk space per version installed. (as a note this behaviour seems to have been fixed, though whether it was fixed or I just found the right setting to stop it happening is anyone's guess).
as a test, I've pressed update now.
it's currently saying it's installing update 35, why? who knows why that's certainly not the latest version.
after the update is complete I check the Java version as 1.7._17 (well that's not what it told me it was installing!)
Though it has removed the older version 1.6._ that was on my computer previously. (so the updater's behaviour may have changed...)
anyway, all this goes back to what I was saying originally.
Java, write once run anywhere.
great for developers.
having a huge new attack vector isn't so great for the users.
as far as business software goes, (where you may control the software running on a given machine, and where that machine has access to, such that nobody can find some dodgy jar file to run. then that's OK.
as for applets requesting older version of the runtime environment.
Java Control Panel
If a JNLP file requests a JRE that is not installed, then this option specifies what action is performed...
Applications CAN and do request different versions of JRE, the behaviour is defined, and you can go into the options in the control panel to control and configure what things can run.
which is fine for someone who knows how to.
though even then that leaves someone like myself with the problem that they need a machine with an old insecure version configured to work at request, but there is still no way to say, "only work for this request" or at this time or whatever.
as if to prove a point, the first application I tried to use after updating java tried to request an old version (1.6.23). (that I no longer have installed).
If if was installed then I'd have just gotten a "do you want to run this" message not "do you want to run this version with 173 known security issues" message. (and when you talk about users having installed and therefore allowed code to run on their system there is a huge difference between these messages.