Apple released a Java 1.6.0_31 update for OS X on Tuesday that claims to deliver "improved compatibility, security, and reliability." The patch closes multiple vulnerabilities found in Java 1.6.0_29, the most serious of which allows malicious code to be executed just by visiting a compromised website. The update is available from Software Update on any Mac running Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, or Lion Server v10.7.3.
Russian security firm Doctor Web claims that attackers began to exploit the Java vulnerability on March 16th which Apple closed with the release of the Java update on April 3rd. Dr. Web now estimates that about 600,000 Macs, most of which reside in the US (55 percent) and Canada (19.8 percent), are now infected members of the Flashback botnet. The company also notes that some four million compromised web-pages could be found in Google search results at the end of March with some users claiming infection by visiting sites as mainstream as dlink.com.
Security company F-Secure has instructions for detecting and deleting the Flashback botnet on infected computers.