Java used to be a favored vulnerability target for cybercriminals. However, in recent years that has not been the case. The now-fixed
Java zero-day that was used in the Pawn Storm campaign was, in fact, the first time in nearly two years that a zero-day had been found and reported in Java.
This can be attributed, in part, to
stepped up security measures for Java. As Oracle notes
on the Java home page itself, out of date Java plugins are now disabled by major browsers. In addition,
Java 7 Update 51 (released in January 2014) tightened the rules on what kind of applets could be run. By default, self-signed and unsigned applets (the ones most likely to be used by attackers) would not run by default in browsers. JRE also has click-to-play protection for all applet (signed and unsigned). Taken together, these have made Java a far less attractive platform for attackers.
