This security hole is caused by a flaw in the LiveConnect implementation of Sun's Java Virtual Machine (specifically in the JavaScript-to-Java side of LiveConnect). Sun just released a new version (1.4.2_06) that fixes the problem. But 1.4.2_05 and potentially all earlier versions are still vulnerable.

Apple has licensed Sun's Java Virtual Machine, and distributes copies of Java 1.3.1 and Java 1.4.X with Mac OS X (Java 1.4.1 with OS X 10.2.8 and Java 1.4.2 with OS X 10.3.X). Apple's most recent Java version (Java 1.4.2 Update 2, available for OS X 10.3.4 and above) is based on Sun's Java 1.4.2_05.

So all of Apple's Java versions are vulnerable in principle. And they actually are vulnerable when used in combination with older versions (pre-0.8.8) of the MRJ Plugin JEP (whether the latter is used with JavaEmbeddingPlugin.bundle to provide Java 1.4.X support or by itself to provide Java 1.3.1 support). But, as it happens, neither Apple's browser (Safari) nor its browser plugin (Java Applet.plugin, which provides Java 1.3.1 support to other browsers than Safari) are vulnerable.

You might think that it's Apple's responsibility to fix its Java distributions, all of which have this security hole. But since none of Apple's Java "consumers" are vulnerable, they may choose not to do anything. In any case, they haven't done anything yet. (Apple may have partially addressed this issue with its 2005-02 security update for OS X 10.3.X. But JEP 0.8.7 and earlier are still vulnerable even with this security update applied.)

When I found a way to fix the problem indirectly (in the MRJ Plugin JEP) for both Java 1.3.1 and 1.4.X, I decided to include it in the Java Embedding Plugin and make a special "security fix" release -- which became JEP 0.8.8. (The fix is also included in later versions.)

Scanit has made available an online scanner for browser vulnerabilities that is capable of detecting the "Arbitrary Package Access" vulnerability: