The vulnerability resides within an NPAPI plugin and ActiveX control called "Java Deployment Toolkit."
"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited," Ormandy wrote in a post to a security mailing list.
He says that the ease with which this error can be discovered has convinced him that it's in everyone's interest -- except Sun's -- to release the details.
Ormandy says that all versions of Java since Java SE 6 update 10 for Microsoft Windows appear to be affected by this vulnerability.
In a blog post, Qualys CTO Wolfgang Kandek points to a technical analysis of the flaw by Ruben Santamarta, who notes that Linux is affected as well.
"The vulnerability allows an attacker to execute remote code on the target machine and can be triggered by a user visiting a simple Web page," said Kandek. "It is located in the Java Web Start component and is present on Java running on Windows Operating Systems."
In his mailing list post, Ormandy has included a link to a Web page that launches proof-of-concept exploit code.
A patch is not yet available, but Ormandy suggests several workarounds.
He also says that Sun has been informed of the flaw but does not consider it serious enough to issue and patch outside of its quarterly cycle.