With all the recent brouhaha (US-CERT warnings, etc.) I wonder if Arduino users have any cause for concern, ...
Not from running the Arduino IDE.
...or if there are steps that should be taken to mitigate risks.
Or is the main concern limited to browser plug-ins?
Java has (yet again) a security hole that allows a malicious website to gain direct access to your harddrive. Two things have to happen to be affected: 1. Java has to be able to run in the context of your internet browser; 2. You have to access content from a malicious website.
Bear in mind that #2 is sometimes achieved by the miscreants buying advertising from companies like
Google (but I don't think Google allows Java). So the "malicious website" could be an advertisement displayed on a site that is otherwise harmless.