It's been a long wait. Fire up Software Update and you should see Java for Mac OS X 10.5 (or 10.4) update 4. This update closes a vulnerability first discussed in August of last year; it was patched by Sun and most other JVM developers months ago.
Apple's sluggishness on fixing this security issue could have allowed attackers to run arbitrary applications or processes on your machine if you visited a webpage hosting a malicious Java applet. The vulnerability was pointed out in graphic fashion by security researcher Landon Fuller.
Fuller took the exploit code that was circulating in the wild and built a proof of concept page that would run an innocuous program (the command-line 'say' utility) from a rigged Java applet; after the ensuing publicity, less than a month later, we have a patch.
Once you've updated, if you took the precaution of disabling Java in your browser settings, you can feel free to go ahead and turn it back on... although, if you haven't missed it, no need to change anything.
Thanks to everyone who sent this in.
[via Glenn Fleishman / TidBITS]