Adam Gowdiak in [SE-2012-01] An issue with new Java SE 7 security features:

That said, recently made security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

This was via Ed Bott who has also been covering the deceptive installs included with nearly all Java updates:

  • When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
  • With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naive enough to trust Java’s “recommendation,” you end up with unwanted software on your PC.

I have checked, and (so far) I cannot correlate kitten deaths with Java installs, so we’ve got that going for us.

Which is nice.