An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple's, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, evading the Java applet sandbox on Mac OS X.
Here's the Slashdot's routine Apple+Java bashing with linked source articles.
At this moment, the easiest way to protect your Mac web browser is either turning off Java globally or... you know what ;)
Update Jun 15th
Three weeks later, Apple finally patched..