Oracle has just released Java 8u77, which contains “important security fixes” and is a recommended update for all Java 8 users.
The most significant fix addresses CVE-2016-0636, a vulnerability which affects Java SE running in web browsers, which can be exploited remotely without any authentication. In other words, just visit a malicious webpage and you could be hit by it. This does affect OS X installations.
It can be downloaded from here.