According to the blog on blog.ethereum.org, Some Mist API methods were exposed, making it possible for malicious webpages to gain access to a privileged interface that could delete files on the local filesystem or launch registered protocol handlers and obtain sensitive information, such as the user directory or the user’s “coinbase”.