Updated 12:30 p.m. PDT with Apple comment
According to the man credited with discovering it, Landon Fuller, the Java flaw even affects the latest version of Mac OS X, 10.5.7, released just a week ago. Fuller has gone so far as to release a proof of concept for the security hole.
The vulnerability could be used to perform what SecureMac refers to as "drive-by-downloads," or the ability to infect a computer by simply visiting a Web page. Fuller explains that the flaw allows malicious code to run commands with the permissions of the current user.
In a post on his Web site, Fuller clearly seems upset and mystified that the vulnerability remains unpatched in the latest versions of the operating system.
"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said on his site. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."
"We are aware of the issue and we are working on a fix," Apple spokeswoman Monica Sarkar said. She could not give a time frame for the fix and declined to comment further.
Fuller's demonstration runs on "fully patched" Intel and PowerPC Macs.
The only workaround for the vulnerability is to disable the use of Java applets in your Web browsers and turn off the preference to "Open safe files after downloading" in Safari, he said.