Re: jar files
> How many people actually download and run Java jar files these days?
Few but non-negligible. Irrelevant in that case anyway.
> only those Lion users who have Java applications would be vulnerable
Well, them and the users of older versions of MacOS.
Also, as stated in a previous Intego article:
"A few points need to be made regarding Java and Mac OS X. Since Mac OS X 10.7 Lion, Java is no longer included with the operating system. However, the first time a user attempts to launch a Java applet, they see a dialog asking if they want to download Java. While most users may not use any Java applets, it is fairly common for online meeting and collaboration services to use Java, as it is cross-platform. Because of this, many Mac users may not realize that they have Java installed, as they may not remember having downloaded it when presented with such a request."
This is indeed true.
> (and only if they were dumb enough to run some unknown Java JAR).
Absolutely not. If an unpatched version of Java is installed, no user interaction is needed at all.
Although _if_ they have an up-to-date version of Java they would have to accept the bogus certificate to get infected. Which many did...