In response to the popular decision in disabling Java Web Apps, there has been very little mention of XBAP applications.
XBAP applications are similar to Silverlight but it offers more options to the developer from a sandbox perspective.
Should XBAP applications also be considered when disabling Java Web Apps?
Is IE the only browser to be concerned about?
XABP is documented to run on Firefox too. However, it does not seem to be supported by Chrome, or on any browser when the underlying OS is Linux.
XBAP tries to apply the same model as Java applets, and that is known to be a hard problem, therefore a fair share of similar vulnerabilities can be expected. E.g. such as this one, which is recent (January 8th) and looks scary (complete hijack of the computer by browsing a malicious Web page), but, strangely enough, does not make the news, contrary to Java applet holes. I think it tells quite a lot on the current deployment of XBAP (i.e. almost nobody uses it, even potential attackers).
I would think in principal, the concern would be similar, though I don't know of any particular threats that compromise the XBAP container. Java has far more known security vulnerabilities, but a compromise of the sandbox in the .Net CLR would be just as harmful as a compromise in the Java VM's sandbox. Both run on sandboxes in systems that have system level functionality available to them if the sandbox is broken. Atleast that is my understanding after a quick read up on XBAP. (While I'm familiar with the .Net CLR, I had not heard of XBAP prior to this question.)
Update based on Thomas Pornin's answer. It looks like there are a fair number of exploits in the .Net sandbox as well. So yes, very similar problem set to Java.
