Apple still maintains Java 6, but Oracle is responsible for patching Java 7.
“The vulnerability is not in Java 6, it’s in new functionality in Java 7,” said Beardsley.
Beardsley called the bug “super dangerous,” noting that it was “totally a drive by,” meaning that attackers could compromise a Mac, or other personal computers, simply by duping users into browsing to a malicious or previously-hacked website that hosts the attack code.
Beardsley recommended that users disable Java until Oracle delivers a patch, advice seconded by virtually every security expert commenting on the new-found flaw.
Mac owners can disable the Java plug-in from within their browsers, or remove Java 7 from their machines. To do the latter, select “Go to Folder” from the Finder’s “Go” menu, enter “/Library/Java/JavaVirtualMachines/” and drag the file “1.7.0.jdk” into the Trash.
Thanks Dick Potter for the ‘heads up’.
For more at Mac World: