UPDATE: It appears that Java 7 update 51 fixes this security hole.
Java applet demonstrating that Applet.getImage() in Java 7 and Java 6 breaks out of the security sandbox and can access any image on your computer. Enter a full filename of a photo on your computer. For example,
Full source code to this applet included in
If running on any version of Java prior to 7u25, when asked to run the applet unrestricted (full access to computer), press CANCEL (the applet should then be run sandboxed). As verification, the applet below will display 'sandbox' (test valid) or 'all-permissions' (test not valid in this mode).