As a computer repair technician I clean up a lot of computers with Java based malware. Java is known for its zero-day vulnerabilities and as a popular vector for cross-platform attacks. Not to mention the fact that Java Runtime Environment (JRE) updates never remove old versions, and Java installs and enables plugins for all popular browsers (Chrome, Firefox, and IE).
Lately I’ve started disabling the Java plugin in Chrome (my main browser) on my own computers to avoid infection and I just came across someone else who had the same idea: http://superuser.com/questions/201613/disable-java-plugin-in-google-chrome
Jeff Atwood, renowned author of Coding Horror started a discussion on superuser.com regarding his experiences with drive-by-installs delivered via Java browser plugins and suggests that users should go as far as to remove Java unless you know you have to use it.
My advice to anyone looking to avoid drive-by-installs (which should be everyone) is to disable Java browser plugins (if only temporarily) to protect yourself while you browse the web. Not to mention you should update your JRE installation and remove old, exploitable versions and their browser plugins.