Quoted from Pinchroma:
You mean the zero day exploit that is only exploitable if you ACTUALLY accepted the 3 prompts telling you NOT TO accept an unsigned, app from an unknown developer on a site with an invalid certificate?
Yeah that ZERO DAY exploit.
Did you know Aurich that you had to accept the execution of that zero day exploit 3 different (4 if the source is non ssl) times to actually get it to run?
Uh, no. I mean this zero day exploit, that runs malicious code without any of that (the very same one I linked earlier):
"Several months ago, we disclosed that Pawn Storm was using a then-undiscovered zero-day Java vulnerability (CVE-2015-2590) to carry out its attacks. At the time, we noted that a separate vulnerability was used to bypass the click-to-play protection that is in use by Java. This second vulnerability (CVE-2015-4902) has now been patched by Oracle as part of its regular quarterly update, with credit given to Trend Micro for the discovery.
Click-to-play requires the user to click the space where the Java app would normally be displayed before it is executed. In effect, it asks the user if they are really sure they want to run any Java code.
Bypassing click-to-play protection allows for malicious Java code to run without any alert windows being shown."
My emphasis added.
If defending Java browser plugins is the horse you really want to ride, have at it. But you're not doing your rep any good by doing so, it's a pretty weird hill to die on.
It's a shame, you're a smart guy, you know a lot about useful topics like powder coating, and I'm sure we'd get along fine in person. But you just can't help but being a needling dick online for whatever reason. You're in the wrong here. No security expert would ever back your play. Places like Trend Micro have been recommending limiting Java for years, long before this last zero day exploit.
This isn't exactly secret cutting edge stuff.