Apple still maintains Java 6, but Oracle is responsible for patching Java 7.

"The vulnerability is not in Java 6, it's in new functionality in Java 7," said Beardsley.

Beardsley called the bug "super dangerous," noting that it was "totally a drive by," meaning that attackers could compromise a Mac, or other personal computers, simply by duping users into browsing to a malicious or previously-hacked website that hosts the attack code.

Beardsley recommended that users disable Java until Oracle delivers a patch, advice seconded by virtually every security expert commenting on the new-found flaw.

Mac owners can disable Java from within their browsers, or remove the software entirely from their machines.