In an Apple advisory: "Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled. Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory."
It's not so common for Apple to release a suite of patches for security issues, but Java has been a certain thorn in the company's side. If you haven't downloaded the latest OS X, be sure to do so; it'll allow enable Windows 8 support in Boot Camp.