Remember "click to activate"? And then SWFObject was born to circumvent it. It looks like the same thing is happening again to other runtimes and plugins:
Firefox to block content based on Java, Reader, and Silverlight: http://arstechnica.com/security/2013/01/firefox-to-block-content-based-on-java-reader-and-silverlight/
Oracle have already issued some comprehensive updates for JRE. Let's hope they're as successful at dealing with the "drive by attacks" as Flash Player has been.