The reason why Microsoft JVM is not hurting you is because you are
primarily using a gecko browser and that does not use MS JVM.
I can assure you letting Java applets run in the browser always entails
risks, after all you are running a full fledged program through your
browser. In fact, arguably, MS's version is even more risky than Sun's.
ActiveX was the same but always got much worse press, partially because
of a combination of poor defaults set by MS, poorly thought out prompts
that allowed constant spamming,security holes, and most importantly it
was confusing to users because it relied 100% on the user understanding
what a "signed activex" meant.
Java wasn't as bad, because initally, it had a sand boxing concept that
made it a touch harder to cause damage, but even then, there were
constant leaks, as people found ways to work around the sandbox causing
lots of Java updates.
Nowdays Java applets can be signed too, and my understanding that if
you accept a "signed applets" , the sandboxing restrictions are off,
and the applet has full reign of your computer.
The problem with this is that history of ActiveX has shown that most
people don't understand the concept of certificates. They see something
is signed, and they think it's okay.
So the same story is beginning again...
It seems firefox users are no better, since that "exploit" was the
basis of one of the "firefox infected by spyware" news story! You click
yes to the signed applet, and it starts downloading adware onto your
computer!
Makes the whole "leak my internal ip" business look positively trival,
don't you think?