Sun/Oracle released an update that seems to fix the issue.

http://www.java.com/en/download/manual.jsp

This one is a HUGE security issue for Windows users with Java (1.)6.0.10 or later installed: a script kiddie can take full control of the machine without any user action besides browsing a malicious web page, independent on browser, OS version, without any adverse sign on either exploitable or non-exploitable machines, with hardly any risk of detection by malware scanners. In summary, the perfect zero-day exploit (for targets with Java). I bet the house it will be actively exploited. I have a (second-hand) report that it was the case on April 13.

A temporary workaround appears to be renaming "javaws.exe" into "disabled_javaws.exe" in
C:\WINDOWS\system32
C:\Program Files\Java\jre6\bin

More details at:
http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1
http://seclists.org/fulldisclosure/2010/Apr/119