Did you update all your Java installations – client and server – to at least Java 6 update 26 in June 2011?
There were a dozen "unauthorized Operating System takeover including arbitrary code execution" bugs fixed at that time, some exploitable via untrusted applets, others via tricking server installs to submit certain data to standard APIs:
I've had the Java plugin disabled in firefox for a long time now. On the very rare occasions I need it, you can re-enable it without restarting the browser (unlike extensions.)
There were a dozen "unauthorized Operating System takeover including arbitrary code execution" bugs fixed at that time, some exploitable via untrusted applets, others via tricking server installs to submit certain data to standard APIs:
http://www.oracle.com/technetwork/topics/security/javacpujun...