The bug is due to a design flaw in Java.
reports that Google researcher Tavis Ormandy says he has notified Oracle about a Java virtual machine bug
that attackers could use to run unauthorized programs on a computer. Ormandy says Oracle told him that it did not consider this vulnerability to be of high enough priority to break its quarterly patch cycle. He does not agree, and has decided to publish details of the bug.
The bug is not due to a programming error, but rather a design flaw in Java, making it particularly nasty. It affects "all versions since Java SE 6 update 10 for Microsoft Windows," says Ormandy.