In Java 1.7.0_40 Oracle has made its strongest play yet to neutralise these exploits. To date, the focus has been on effectively sandboxing applications running in the browser in order to prevent them from illegally affecting other parts of the system. In this release of Java, Oracle now also heavily discourages the use of web-based applications that are not signed with a valid certificate.
Does this necessarily improve security? Not necessarily. Code signing certificates are cheap to buy and easy to get, so expect to see Java exploits migrating from being unsigned to being signed. Instead, we can better understand what Oracle is working towards by looking at Apple's Gatekeeper.
Apple requires OS X applications to be signed with an Apple developer certificate. On a default OS installation, unsigned applications will simply not run when executed. Apple identified the fact that, in most situations, giving the end user the option to bypass security restrictions leads to less security and more system compromises.
Gatekeeper also allows Apple to neutralise malicious applications by blacklisting the certificates used to sign them. Gatekeeper queries Apple to update its blacklist, and will not allow the execution of blacklisted applications. While this doesn't reduce the number of infected systems, it does contain the problem by preventing any new systems from being infected. For Java, this level of control is much easier if applications are signed.
As a Java applet or JNLP developer this all seems like slow progress. Web-based Java applications continue to offer a poor user experience, and the introduction of red-text security dialogs will do little to ease the concerns around Java. However, with JWrapper's application deployment system developers now have a powerful alternative: applets can easily be ported to JWrapper and can still benefit from advanced web-based features like auto-updating and centralised deployment, while ensuring the security and ease of use of a dedicated application. JWrapper is what JNLP and Web Start were meant to be.