Support for Java SE 6 is needed
The Java SE 5 branch has reached end of life and is no longer being supported by Sun/Oracle unless you migrate to Java for Business. I spoke to a rep at Oracle recently and he confirmed that this was the case, and this weekend security updates for Java were released for JDK/JRE 6 (update 19) as well as JDK/JRE 5 (update 23) but in the latter case updates were released ONLY for "Java for Business" family, not the Java Standard Edition (SE) family.
Can RSA provide support for the Java SE 6 branch so that the event viewer works through that version of Java? Any Java SE 6 version after update 13 doesn't work for the enVision event viewer. This includes the enVision 4.0 SP3 platform.
I can confirm without any doubt that vulnerabilities for Java are being exploited on the web through drive-by-downloads just like you have with Adobe Reader and Adobe Flash vulnerabilities. So not upgrading Java isn't a version, and Java for Business unlike Java SE requires paid support.
"One of our researchers recently discovered that the Liberty exploit kit included a fairly new [Java] exploit from November 2009 ... http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867"
"Now I’m not saying that [the Liberty exploit kit] is being served up by ad networks, but the stats pages for the exploit kits are certainly saying that" (http://thompson.blog.avg.com/2010/03/fresh-exploit-served-up-with-ads.html)
"We have seen an increasing number of sites that contain a new exploit kit."
"Many people don't install Java updates, so it's a perfect attack vector. If you look at control panel statistics, you can see that they are very successful. Java exploit is the most successful exploit." (http://www.malwaredomainlist.com/forums/index.php?topic=3570.0)
"I received feedback from some readers who doubted whether anyone ever tried to attack Java flaws. As we can see from the second screenshot above, the Java exploit was the second most successful attack" (http://www.krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/)
Java End-Of-Life policy
After some research into this issue, this looks to be a bug caused by Sun Java after 1.6 update 14. Java after that version doesn't understand/interpret automatic proxy configuration scripts (wpad or proxy.pac) like it used to.
To make Java 1.6 update 14 (or even 19) work on the enVision again, as a workaround you can click on Control Panel | Java | General | Network Settings, and changing the settings from "Use browser settings" to "Direct connection", although this also means that your Java application traffic will no longer pass through your organization's proxy, so certain Java applications that communicate across the Internet might stop working (it depends on how your organization's network is set up).
EDIT: For those curious about the bug, clicking on the first link sometimes hangs. Going to http://bugs.sun.com/ and entering the bug id (6887492) in the search field is sometimes faster.