The Array Name Bug
This bug affected Netscape Navigator version 3.0 beta 5 and
earlier. It was caused by incorrect handling of type definitions in
the Java internals. Java uses special predefined names for its array
types; these special names are bound to the correct array types on
demand. We discovered that under certain circumstances an applet could
define a class that had one of these special names. The system
detected this and threw an exception, but the malicious definition was
mistakenly left in one of the system's internal tables. The result was
that an applet could redefine one of Java's array types. This was
sufficient to break Java's type system and hence to completely
circumvent Java's security mechanisms.
The bug is fixed in Netscape Navigator version 3.0 beta 6 and later.