It appears that there some critical vulnerabilities in Java that, while fixed by Sun, have not made their way into Mac OS X, even with the newly-released Mac OS X 10.5.7. These vulnerabilities can be taken advantage of to run commands outside of the Java sandbox as the executing user.

Landon Fuller has an overview, workarounds, and a proof-of-concept and Julien Tinnes has a detailed explanation & example. The workaround? Disable Java and ‘Open “safe” files after downloading’ in Safari and other browsers. But you disabled ‘Open “safe” files after downloading’ long ago, right?

[Via Daring Fireball]

Update: This was fixed in Java for Mac OS X 10.4 Release 9 & Java for Mac OS X 10.5 Update 4 on June 15th, 2009.