There are plenty of people in the IT industry that would like nothing better than for Java never to have existed. The current vulnerability is being swooped by anyone with an agenda to feed the media with FUD. The media, not knowing any better, is dutifully reporting the information they are given. What are the facts ?
1. The vulnerability is only really significant for Java running inside a web browser using the unsigned Java Applet mechanism, which accounts for 0.1% of the usage of Java.
Statements from “Security Experts” like “java security is a mess” are true only in the context of running Java in a Web Browser, and should be qualified by: Running any native code, downloaded from the internet on an Operating system that has no real intrinsic security is suicidal. It’s not really Java that’s the problem, the problem is Operating systems that allow a web browser to run in an environment where it can make fundamental changes to the core aspects of Operating systems. Just as you would never download and run a untrusted native executable as the root user, or even an “Administrator” you only have yourself to blame if click “Ok” when asked the question “Do you mind if I run this untrusted code …. that will steal your identity, empty your bank account, sell your house and destroy your life”. Don’t blame a language (any language), blame the browser or the OS or yourself.
Applets should have been deprecated in 2001. They were relevant when browsers were incapable, but have been superseded since. This vulnerability has nothing to do with 99.9% of Java usage. It’s a pity, but not unsurprising that this message will never reach mainstream media. Long live FUD.