SecLists claims to have "discovered yet another security vulnerability" http://seclists.org/bugtraq/2012/Sep/109. It is unclear to me if they are talking about a vulnerability in addition to CVE-2012-4681 and whether the findings will be bundled into CVE-2012-4681. I intend to inquire internally whether exploitable code exists for any vulnerabilities subsequent to -4681. There does not seem to be a new CVE number associated with seclist's finding.
I'm also hoping to open some forum discussion to help us understand better the scope of the threat. The CVE-2012-4681 references the Oracle press release which indicates "These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications" http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html. Why would only browser clients be vulnerable? Wouldn't standalone clients that might attempt to retrieve a URL that may contain malicious code also be at risk?