At this point the most widely exploited holes seem to be in
Java's web browser plugin. They allow attackers to escape Java's security sandbox and run web apps with the same privileges that the browser uses. Java code that does not use Java's SecurityManager are (usually) not vulnerable to these exploits.
I blogged about this issue earlier this year.