According to Adam Gowdiak of Polish security firm Security Explorations, Oracle confirmed to him that a patch won't be issued until February 19, 2013.
Gowdiak said he plans to present technical details on the flaw Nov. 14 at the Devoxx Java Community Conference in Belgium. His team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.Pretty much the same thing happened in August, but then Oracle was forced to issue an out-of-cycle patch due to the severity of the vulnerability as well as widespread media coverage.
The vulnerability and exploit were announced in late September. Gowdiak’s exploit successfully beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine.