To tackle the recent Flashback malware for OS X, Apple issued an update for Java that closes the exploited vulnerability in its runtime. Apple also issued a couple of additional tools and tweaks to tackle other potential problems in Java. The first of these is Apple's updated "MRT" (malware removal tool) utility that will scan for and remove the malware from affected systems. The second is a change to how OS X handles Java, in which the system will now keep the Java plug-in disabled until it is needed.
The idea here is to only allow the Web plug-in to work for those who regularly use Java, but for those who do not, then the plug-in will remain disabled until they use it. However, after a set amount of time, if you have not used any Java applets, then the plug-in will be disabled again. This should help prevent any future Java-based exploits from affecting many Mac systems, and hopefully reduce the impact that such malware would have on the Mac community.
The way this works is you first need to have a Java runtime enabled (installed and checked in the Java Preferences) on your system, and then have Java enabled in your Web browser (in the Security preferences in Safari). If neither of these is enabled, then Java will not run at all.
With a properly installed and enabled Java runtime, when you next visit a Web site that contains a Java applet, then Safari will present you with a small plug-in notice that says "Inactive Plug-in" with a small arrow next to it. By clicking this arrow you will tell the system to enable the Java plug-in, but will have to quit and relaunch your Web browser in order for it to work. This action ensures that you purposefully wish to activate the Java runtime and load the Java applet on your system.
When you click this option and have the system load Java, it does not alter any settings within Safari and does not alter the location of any files on disk, but rather changes the Java preferences for the current user account (the file for which is located in the ByHost directory), to allow the Web component of the plug-in to execute. This setting is reflected in the General section of the Java Preferences utility, where you can see the option to enable the Web plug-in checked.
While you can turn the plug-in on or off using this setting in the Java Preferences utility, doing so will not make it stay on. Instead, regardless of how it is enabled, the system will disable the Java plug-in if you have not used any Java applets within about a month's time, and require you to re-enable it manually.
While this behavior was implemented in the latest Java runtime that Apple has released for OS X, Scott Kovatch from Oracle's Java development team recently mentioned that the upcoming release of Java 7 for OS X will not have this behavior, and will instead include an alternative approach to enhancing security.