Good one. I feel sorry for the Java programmers LOL! 
Cybercrooks have begun distributing an item of malware that poses as a Java security update.
Read more: VXers exploit users' confusion over Java to punt fake update • The Register
:‘( :’( :‘( :’( 
i agree to the comments that most of the exploits and such are applets or webstarts and or jnlp even though im just a novice but i guess good thing i havent read the applets webstarts and jnlp sections of java turtorials 
though thinking about it isnt applet the same as java application inside a web sandboxed
but java application would mean you downloaded the jar files and running it on disk or installed in the jre ext folder that may or may not have internet/network access
edit:
i just thought i also ask about java jre app i dont know what is the default java security configuration for java application on disk(java.exe) versus java applet on java plugin (javaw.exe) because from what i understand but i might be wrong that java applets run inside a sandbox and java application arent but since java application is run on disk i assume it is scanned and well monitored by your security app , and just to clear up i am assuming the restriction is what priviledge the jre has i think rather than the os system priviledge
and to say applet and j2ee (jsp, ejb, etc) are different the applet runs in your system and the j2ee runs on the server ( except rmi if i understand it right)
Here we go again!
News for Java’s new “very high” security mode can’t …
Edit: changed url from Google to Ars Technica. Eric
i dont know if this fix the new vulnerability for the very high but still just to update people
https://blogs.oracle.com/security/entry/february_2013_critical_patch_update