Oracle have released the Critical Patch Update fix for the latest vulnerability found in Java, that allows for remote code execution. One attack vector (at least) allows a Web Start file to define its own security permissions without user interaction - drive-by exploits from banner ads etc. are likely to try and use this. Update to Java 1.6.24 to patch this vulnerability.

Oracle just released a Security Alert with a fix for the vulnerability CVE-2010-4476, which affects Oracle Java SE and Oracle Java For Business. This vulnerability is present in Java running on servers as well as standalone Java desktop applications. Its successful exploitation by a malicious attacker can result in a complete denial of service for the affected servers.

While only recently publicly disclosed, a number of Internet sites have since then reproduced details about this vulnerability, including exploit codes, which may result in allowing a malicious attacker to create a denial of service condition against the targeted system. Oracle therefore strongly recommends that affected organizations apply this fix as soon as possible. The Security Alert Advisory provides information on how to apply this fix and where to download it. In addition, note that the fix for this vulnerability will also be included in the upcoming Java Critical Patch Update (Java SE and Java for Business Critical Patch Update - February 2011), which will be released on February 15th 2011.

Link

Note that if you have a 64-bit system and use 64-bit and 32-bit browsers interchangeably, you will need to install both JRE 1.6.24 for 64-bit and 32-bit systems.