Oh, and from reading the research pages, it seems that this is no bug in Java, it's a hole in user education. The applet requests permission to gain security privileges (so that it can read and write to your computer as any desktop application would) and the user has to say "Allow" to permit it to do so.
Let's be honest, if a .exe file was asking for the same permission, plenty of users would click "Allow", and this is little different.
Until users stop and think "wait a minute" before running new software, these attacks will be common. The fact that Java is cross-platform just means that the net is thrown wider.