Intego Security has reported a critical flaw in the version of Java shipped with Mac OSX. The flaw allows local code on the user's Mac to be executed remotely, typically from malicious applets.
Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue. Security researcher Landon Fuller has published, on his web site, a proof-of-concept Java applet that exploits this vulnerability to demonstrate how easy it is to run code remotely.
While no applets the exploit this vulnerability have been found yet, it will only be a matter of time given the publicity generated around the web about the flaw. Full details on the flaw are here.