The Princeton Secure Internet Programming team have found another bug in the Microsoft Java VM. Apparently the VM lets an illegal typecast through the validator which could potentially allow the malicious applet to escape the sandbox. It's not surprising that the MS VM has so many flaws: they sacrificed a lot of portability and security for performance just so they could market their VM better. It also made it harder for them to adopt the RMI spec since instead of using handles lie everyother VM implementation they were using pointers directly which obviously didn't translate well into a distributed environment.