Even though contemplating application security can bulletproof your Java environments, more obscure attacks targeting the underlying Java Runtime Environment can leave your software vulnerable if not attended. Symantec's Security Response blog, summarizes what is becoming a common trend in JRE attacks:
Due to the way Java allocates heap-memory, scenarios where the attacker can repeatedly “spray” the heap with a nop sled and associated payload across a large portion of memory can be used to add reliability to an exploit. This technique was initially pioneered by Skylined for use in JavaScript when targeting browser vulnerabilities, but similar techniques have since proven useful inside the JRE as well (see JvmGifVulPoc.java)
Read the complete post : http://www.symantec.com/enterprise/security_response/weblog/2007/07/new_trend_in_attacking_the_jav.html