A newly discovered Java vulnerability allows an attacker to bypass the Java sandbox allowing remote code execution of unsigned content. An attacker exploiting this vulnerability would be able to exploit Java 5, 6, and the latest version Java 7.
Due to the nature of Java as a cross platform language all Java users, whether on Linux, OSX, or Windows, are vulnerable. It’s because of this ability to ‘write once, exploit everywhere’ feature that Java is such a tempting target. With over 1 billion devices running Java it’s plain to see why an attacker would look for exploits there.
The exploit is also confirmed to work on all browsers on Windows 7 32bit, though it should work on all browsers on all Java capable platforms.
On top of the tempting nature of Java there’s Oracle’s poor history with Java security. Patches tend to be late and long after an attack while the Java Runtime Environment has no particular security oriented aspects (despite it seeming like it could if they only tried).
It wasn’t long ago that another vulnerability in the JRE had been found. That one had been for Java 7 only and everyone was surprised that Oracle was able to patch it after about 4 days. Or at least they were surprised until they found out Oracle had been notified of the vulnerabilities months ago.
The short story is that Java is always going to be a target. On Windows you can rely on third party software to secure it and on Linux you can Apparmor it.