A bad (as in it's a 10) Java vulnerability has been discovered. Affecting Java 7 Update 10 and prior versions, this vulnerability can allow an untrusted Java applet to escalate its privileges without requiring code signing.
Currently, the only defense to this vulnerability is to disable Java in your browser. Additional information is provided by US-CERT.
Update at 20:18 UTC 11 Jan
I good resource to follow this story is krebsonsecurity.com.
Update at 22:05 UTC 14 Jan
The US-CERT has released the following bulletin:
US-CERT Current Activity Oracle Releases Out-of-Band Patch to Address Java 7 Vulnerability Original release date: January 14, 2013 Last revised: January 14, 2013 Oracle has released an out-of-band patch to address the recently announced vulnerability in Java Runtime Environment (JRE) 7. US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied. Relevant URL(s): <http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html> <http://www.us-cert.gov/current/#us_cert_releases_oracle_java>