Update 4/4/2012: Apple released a patch for Java last night.
The first thing I'd like to say is that I am an Apple fanboy and can usually be found defending them vigorously like any loyal fanboy would. I hear time and time again from other Apple users that Apple products are "hacker proof", which is a total myth. My buddy Jayson Street says Apple products are perceived as shiny magical things, which I guess adds to the myth.
Mac users are so use to hearing about exploits that only affect Windows users. I have to admit some exploits that target Macs are lame, but every once in a while there comes something that Mac users need to pay attention to. Ladies and gentlemen, now is the time to pay attention because this myth is being busticated in a major way at the moment.
Apple hasn't provided an OS X product update for a critical Java vulnerability (CVE-2012-0507), which was patched by Oracle as of February 15, 2012. This is a big deal because Apple users account for about 15% of Internet traffic. Mac users are wide open to exploitation if they are running the Java plugin in their browsers and attackers are actively leveraging the Java attack across the Internet.
The actual exploit it widely available, which means that it will appear all over the Internet. Here is a screen capture of me exploiting my "fully patched" MacBook Pro running OS X version 10.7.3 with Metasploit.
I created a video to show Mac users how to disable to Java plugin in Firefox, Safari, and Chrome. Disabling the Java plugin will prevent your system from being compromised from the CVE-2012-0507 exploit. In general you should always have the Java plugin disabled unless it is absolutely necessary. You never know when there is a zero day exploit lurking around the corner.
I was sad visiting the Apple Store yesterday knowing that every Mac in sight was exploitable (See image below). I asked a couple of the Apple Geniuses if they heard of the issue, and they told me they were unaware of it, which means few customers or owners know as well. We surely need to put this myth to rest and pray for Apple to update as soon as possible. One final request if you made it this far, please tell everyone you know to disable Java plugins.