TLDR; OP runs java applet (either in browser or downloaded it).
Java applet sends bitcoin from OP's MtGox account to the 'hackers' bitcoin address, using the OP's browser, which was logged in to his MtGox account at the time.
Yeah, this has fuck-all to do with bitcoins. Same thing could have happened with real money through paypal or a bank's website, except those are probably a few steps ahead of babby's first online banking website in terms of migitating against likely attack vectors.