Sun has put a page up about the bug at;
Here's a partial quote...
"In normal use of the JDK to develop Java applets and applications this
problem does not arise. Developers can safely use the appletviewer as a way
to view and test their own applets. They are warned, however, not to use
the appletviewer to view potentially hostile, unknown applets."
Gee, I wonder how we determine what is "potentially hostile"??
Oh, and this one...
"The problem is with a bug in the implementation of the security model, not
with the model itself"
which, roughly translated into terms I more easily understand, means the
problem is with how the security policy is implemented, not the security
policy itself. As we all know, the security policy is never to blame for a
break-in, its always a violation of the security policy that causes the
problem, which is why we never have to change our security policies to
accommodate break-ins, right???