An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple's, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, evading the Java applet sandbox on Mac OS X.
At this moment, the easiest way to protect your Mac web browser is either turning off Java globally or... you know what ;)
Update Jun 15th
Three weeks later, Apple finally patched..