This is exactly what happened in the attack against Apple's employees, and possibly in the attacks against Twitter and Facebook as well. The attackers compromised a site known to be used by mobile developers, and then used a previously unknown (or "zero-day") Java vulnerability to exploit computers through their browsers. This is known as a "watering hole" attack, because the bad guys targeted a place that the desired victims visited regularly and voluntarily. Since the exploit was unknown, antivirus software wouldn't necessarily be able to spot and disable it.
When I wrote about the the Flashback attacks at the end of August, I said, "although you likely aren't at risk today, it is clear that Java still represents one of the biggest, most persistent security problems facing users of all operating systems."
My conclusion has changed: You are at risk now. So how do you protect yourself?
How to remove Java
Your best option is to remove Java from your Mac altogether; then you won't have to worry about its security vulnerabilities. Not having Java on your system may break some websites, but I haven't permitted Java to run in my browser for quite a while now and I've run into very few problems. When I do, the culprits have most commonly been Web-based meeting software and some enterprise applications. That's because disabling Java also disables some other software programs, such as the popular CrashPlan backup tool. If you run into that situation, consider taking the steps outlined below for isolating Java; for other users, however, living without Java may be the most satisfactory course. That way, you avoid the risk that of having your Java reactivated at some point in the future.
The precise process to follow in removing Java depends on the version of OS X you run and the version of Java you use. Whatever those particulars may be, removing Java is fairly easy.
To see whether you have Java installed, launch Terminal and run the following command:
If you see 1.6 or 1.7 in the response, navigate to the /System/Library/Java/JavaVirtualMachines/ directory and delete it. Alternatively, use the command line:
sudo rm -rf /System/Library/Java/JavaVirtualMachines/
(As always, type very careful when using the sudo rm command.)