"According to Julien Tinnes in the CR0 Blog,
it appears that Apple's recent security update failed to fix a Java
flaw that was reported to Sun back in August 2008 and patched by Sun
way back in December 2008. The upshot: according to the blog (and I've
yet to be able to independently confirm it) any browser on OSX that
uses the Apple-supplied version of Java is vulnerable to remote
exploitation against a class of flaws known as Java deserialization
vulnerabilities."
Read more: http://isc.sans.org/diary.html?storyid=6418
