The Flashback trojan which is making the rounds can mount an attack through the vulnerable JVMs in 10.4 and 10.5 (and as we all know, Apple is no longer issuing security updates for PowerPC at all). I don't know if Flashback can penetrate PPC systems or merely crashes them, but there are enough cross-platform components within the attack that it seems at minimum possible. (Note to Classilla users: the JVM is too old in OS 9 and the cross-platform components require a Unix shell, so the most Flashback can make you do is bomb.)
UPDATE: Some people are linking to this post to try to warn PowerPC users that we are also vulnerable, but I have seen many people express disbelief because to date no one knows of any PPC systems that have actually been infected.
Well, let me disabuse you of the notion we are resistant to the attack: the CVE in question exploited by Flashback a/k/a Flashfake is CVE-2012-0507 and Oracle themselves say Java 2 Standard Edition 5.0 update 33 and before are vulnerable. J2SE 5.0 corresponds to Java VM 1.5, which is the JVM in use on 10.4 and 10.5 PowerPC, and no version of Apple Java for 10.4 or 10.5 is at update 33. So the hole exists. (There is an OpenJDK 7 available for 10.5 at least, but there is no browser plugin for it and the vulnerable JVM is still on your system, so you must take specific steps to disable the old system VM and also disable Java in your browser.)
But wait, it gets worse. The hole in question is a "sandbox violation" meaning it allows Java code that would normally run in an unprivileged environment to run with privileges. Read that sentence again: it allows Java code to do it, not merely native code. The malicious bootloader which Flashback/Flashfake uses to mount its attack will run on PowerPC because it is written in Java. When Flashback/Flashfake starts up, it initiates the sandbox exploit and, now possessing privileges, runs its bootloader which then grabs an actual native binary. The bootloader is crossplatform and works on Windows and Mac OS X. The binary the bootloader fetches and then executes is the true payload. MSDN has an excellent analysis.
The true (and as near as I can tell, the only) reason Power Macs are resistant so far is because the binary that is loaded is not compiled for PPC. That's it. The actual attack works. If the evil brains in a .jar behind Flashback were to compile their payload as a Universal binary and link it to an appropriate PPC SDK, the payload would also run, and the system would be exploited. So turn off Java now. It is no longer safe on Power Macs. Don't make your system's safety dependent on how lazy the Flashback authors are.
Back to the previous article ...
Java requires a (surprise!) plugin to run in TenFourFox, so by default we are not vulnerable, and even if you enable plugins "against medical advice" the Java plugin preference is specifically set to hide the Java plugin by default as well. You would have to turn on both preferences to actually get the exploit to occur (assuming that it can attack Power Macs), so we are safe from this attack in the vast majority of configurations.
Mozilla has started blocking old versions of the Java Plugin on Windows because of the BlackHole exploit kit which takes advantage of the same vulnerability, and they will extend this block to the Mac shortly. I don't know if we will take this code since it will block everyone from using Java, even those taking reasonable precautions, because there is no way to update the system JVM. It might be nice for someone in their copious spare time to look at porting one of the Java SDK clones to 10.4, you know, between saving the world and doing the dishes.
The CoreGraphics accelerated backend I talked about in the last post is now able to partially render text too. Still get crashes with gradients, so still not ready for primetime.