This effects all versions of Oracle Java (JRE 1.7 Update 10 and earlier), including both the JRE and JRE browser plugins.
From US DHS CERT
This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
Disable Java in web browsers
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.