XProtect arrived on the Mac as part of Mac OS X 10.6 Snow Leopard. Its purpose is to provide a remote 'kill switch' to prevent applications from running.
It was originally applied to prevent certain pieces of malware from running, but more recently Apple has used it to prevent old and vulnerable versions of Java from running in a browser.
Vulnerabilities in Java have made it possible to launch Windows-style 'drive-by' attacks on Macs. Malicious Java code embedded in a web page could be used to install malware when the page is opened, with no obvious indication to the user that something is amiss.
Part of the problem is that some users are slow to update to new versions of Java. This can be simply inertia (laziness?), but it can also be due to incompatibilities between the updated version of Java and existing applications and applets that the user needs to run.
Apple has been forcing users' hands by blacklisting older versions via XProtect, which is automatically updated.
The latest XProtect update disables the web plug-in for all versions of Java prior to Java 6 update 51 (the current version from Apple) and Java 7 update 25 (the current version from Oracle, for Lion and Mountain Lion only).