Update: In the interest of quantifying the risk to the average Mac user from this exploit (which, please note, does not currently have a Mac-attack payload), I asked for some data from CrashPlan. Since the online/peer backup service requires Java, its userbase represents a good proxy for the Java installed versions on the Mac.
Co-founder Matthew Dornquist quickly responded with a random sample of 200K recent users; his numbers show that the overwhelming majority of CrashPlan's Mac users are on Java 1.6 (92%) and a small minority on the older 1.5 version. The percentage on the 1.7 version targeted by the malware? Approximately zero. It's not often that we find ourselves thankful for out-of-date software, but there it is.
For a widely distributed runtime like Oracle's Java, a zero-day vulnerability (a security flaw exploited to create malware before the platform's maintainers have a chance to analyze and respond) is your basic nightmare. Millions of computers might be affected while a patch is in progress; security companies and ISPs need to coordinate to update malware definitions and block command-and-control websites. Nothing but aggravation -- and since Java can run on all varieties of operating systems, there's plenty of agita to go around.
Research shop FireEye identified a Java zero-day exploit this weekend that is already targeting fully patched versions of the Java JRE version 1.7 running on Windows machines. The exploit attempts to install a dropper executable (Dropper.MsPMs) on the machines it attacks. In theory, a separate dropper could be crafted to attack Mac or Linux systems, although none has yet been observed in the wild.
That's a reason for Mac users to rest a little more easily, but it's not the big one. As CNET points out, the vulnerable edition of the JRE -- 1.7 -- isn't installed by default in a stock configuration of OS X. The Java that Apple delivers on Snow Leopard, Lion and Mountain Lion is JRE 1.6 (and on Lion and Mountain Lion, it's only installed on demand when needed to run Java applications); in order to be on 1.7 and be theoretically susceptible, you'd have to install the Oracle
beta build manually... which, hopefully, you'd remember doing.
Some of the more breathless coverage of this exploit seems to have missed that point; the overwhelming majority of OS X machines are not running the vulnerable version, and any that are should (theoretically) be under the supervision of users who specifically chose to move to the new, yet-to-be-mainstream release.
If you did install the Oracle build and you're concerned about the new exploit, you can disable the Java plugin in each of your browsers individually, or uninstall 1.7 entirely. While it bears repeating that there is no evidence of a Mac payload for this exploit at this time, if you don't have a specific reason to run the new version then it's probably safest to stick with JRE 1.6 instead (or turn off Java completely if you don't need it). In response to past exploits including Flashback, Apple's Java web plugin is now set to auto-disable when it isn't used for some time, further reducing the attack surface for Mac users.
[hat tip Seth Bromberger]