...
CVE-2012-0507 describes an exploit that managed to bypass Java's applet security sandbox and run malicious code on a remote user's machine. The exploit deserialized a malicious object that subverted Java's type system. The malicious object was an array of two objects. The second object, of type AtomicReferenceArray<>, was an AtomicReferenceArray<> whose internal array was containing the first object. However, while the first object was an array of objects of type Help objects (which inherited from ClassLoader), the AtomicReferenceArray<>'s internal array type is an array of Object. This meant that the malicious code could use AtomicReferenceArray.set(ClassLoader) to create a Help object. (Creation of class loaders is forbidden by the applet security manager.)
This exploit worked because in Java versions prior to 1.7.0_02 the object of type AtomicReferenceArray<> object performed no validation on its internal array.
...
This exploit was mitigated in Java 1.7.0_03 by having the object of type AtomicReferenceArray<> validate its array upon deserialization. The readObject() method inspects the array contents, and if the array is of the wrong type, it copies the array, foiling the exploit.
...