Any software running locally can do all sorts of evil things.
It doesn't matter whether it's Java, Basic or even batch scripts!
And the only thing which holds back on how far they can go is the credential level in which they'd run.

Now, when running as a browser applet, Java's VM restrains what they can do to the local computer.
Those vulnerabilities refer on the break of that sandbox protection!

A reasonable protection we can do would be to activate click-to-play feature, like Firefox and others have.
In which a plugin needs to be clicked at 1st before allowing its execution.

And the best protection would be to use a sandbox software to protect your browser.

Also, JavaScript is a browser's built-in programming language,
and it's very restrictive already on what they can do!

In short, if you're compiling or running a program, and it happens to be evil,
no matter which programming language, bad things will surely happen!  

The reason you see nothing in the forum is because the risks of using Processing are virtually non-existent.

The real risk is from the Internet so just be careful what you download and run on your machine. The vast majority of sketches you see on sites such as OpenProcessing will be safe to execute (although many will not run as is on 2.0b8).

The contributed libraries and tools sponsored on the Processing website will also be safe to use.

If you find a useful library not on the Processing website, try googling it to see if there are any issues using it, or post a question about the library on this forum.

Its dangerous to cross the road but we all do it everyday - just use your common sense.

GotoLoop,

Hello! Some extra points:

When Java is installed in a machine's OS, by default, along w/ Java's runtime,
its plugin becomes available for all of the programs in that OS. Especially for browsers!
Each browser has some feature to turn each available plugin on/off for itself.

Some known plugins are Flash, Shockwave, Silverlight, Java Applets, PDF readers, Office Suite readers,
QuickTime Player, Real Player, Windows Media Player, Windows DRM & WPF, and many more!

All plugins are external independent programs, and it's beyond the control of a browser!  
Plugins can read, modify and delete any files from your OS (and even other OSes via LAN!),
and can connect directly to the Internet, not respecting the privacy/proxy settings from a browser!!!

Of course, a plugin which (tries to) takes its users seriously, won't allow something run from a browser,
using its plugin, to do anything to a local machine.

However, hackers will always discover ways to crack thru' any barriers/permissions set by a plugin.
That's what are called vulnerabilities.

Once known, a plugin's developer tries to fix 'em. But it's a continuous cat-chases-mouse thing!

it just seemed like processing was a very safe way of exploring.

It is so don't let anyone put you off Processing and Java it is one of the easiest and safest ways of writing and sharing programs.

More points:  

Now, all of those "fleeting" "protections" are for programs running thru' plugins.
When we're using Processing (or any other programming language), there's no protection at all;
only the access credentials set by the OS!!!

So, assume that a code written in any language can:
read, modify and delete any files from a machine, even remotely ones!

Those Java vulnerabilities are not of a concern for when we're using a programming language,
since we can do anything we wish (or thought so) anyways! 

When visiting OpenProcessing.com, before clicking a Java applet,
we may try to peruse its source code for any "dangers"!

But for most any other general-purpose site, we have to "trust" that a plugin won't try to screw our machines.
We also depend on barriers set by the plugin itself to protect us from rogue codes.

The best thing we can do is to sandbox any browser we use,
so we have a powerful extra layer to limit what any plugin code can do!  

JavaScript points:  

JavaScript is peculiar b/c it is a native built-in programming language for browsers!
So it has to obey any restrictions placed by the browser running it!
A much different case from plugins/addons which are external and independent!

Despite of it, hackers still find ways to be naughty w/ JS:
Web Page Fills Up HD

Even though JS is very reasonably "secure",
it is the language most used to attack one's privacy in the world!
There are all kinds of tracker/GPS location find scripts in almost any sites we surf!

Browser extensions/toolbars, which is generally made in JS as well,
are always spying and reporting anything we do! 

Whew! It's difficult explaining such subject in few lines. And my explanation's turned out an article! 

Who is "urging for everyone to uninstall java"? Firefox doesn't even automatically put Java on click-to-play anymore with 7u17.

http://arstechnica.com/security/2013/01/critical-java-zero-day-bug-is-being-massively-exploited-in-the-wild/

Firefox doesn't even automatically put Java on click-to-play anymore with 7u17?

Actually, Click-to-Play feature is not a Java's applets specific, and much less for a Java's specific version!
It works for every plug-in/add-on, and even includes HTML5's video & audio tags!

Before that, various browser extensions provided such utmost import feature, like the venerable NoScript.
That one coupled w/ Ghostery + RequestPolicy extensions, and also AdBlock Plus,
allows a net surfer to better control its privacy online! 

For the conscious surfer, there's no real need to uninstall/deactivate a plug-in,
since they don't run automatically and need to be clicked for permission!

However, if that plugin's code was indeed malicious and was extremely smart enough to pass thru'
all of the barriers and vulnerabilities present by the plugin and other protections in the OS...
Well, prepare to reformat and reinstall everything!  

I think the whole tone of this thread is a little to alarmist. Epicjefferson, that ArsTechnica article is from January and if you actually read US-CERT alert it states that the vulnerability in the alert along with another one has been patched by update 17.

GoToLoop, I don't know if anyone noticed, but Firefox was automatically activating its click-to-play protection for Java up until update 17 and now post update 17 is no longer doing that. Apparently Firefox believes the extra protection is no longer necessary. That is what I meant by my previous post.

But it's a continuous cat-chases-mouse thing!

That is about right. This kind of thing happens continuously with every other embedded technology, eg Flash it just seems Java is getting a lot of attention lately. I don't think the current situation is anything out of the oridinary or particularly dangerous, but I could be wrong. I believe its usually pretty difficult to pick up anything malicious unless you are visiting sites that are obviously shady.

but Firefox was automatically activating its click-to-play protection for Java up until update 17 and now post update 17 is no longer doing that.

Oh, I didn't know that. AFAIK, Click-to-Play would work for any content!
Anyways, I've never relied on default configurations for anything!
And Click-to-Play is a new feature, and I've always relied (and will continue so)
on 3rd-party extensions to do security tasks!

... just seems Java is getting a lot of attention lately.

Well, Flash was the preferred toy to invade computers not so long ago.
But ever since Steve Jobs spoke ill of it, Flash is in decline!
Java still is very present on most machines, although as a browser plugin, started to downfall as well.
However, we still can find Java present on Apple machines, while Flash not much! 
So, an almost universal attack vector!  

However, since vulnerabilities will pop up forever on, the best bet is to sandbox/virtualize any browser used!

... unless you are visiting sites that are obviously shady.

If there's some vulnerability, it means all sites have the power in their hands to invade your computer!
Power itself corrupts! It doesn't matter whether it's a shady or respectful site!  

all sites have the power in their hands to invade your computer!

Only if the machine hosting the site has been unknowingly compromised to such a degree that someone was able to put something malicious on it or maliciously alter it (as far as I know). Or if the hosting machine was set up with malicious intent of course (shady sites).