"The JNLP BasicService in Sun Java Web Start allows remote attackers to execute arbitrary programs on a client machine via a file:// URL argument to the showDocument method. "
References: http://www.securityfocus.com/archive/1/archive/1/497799/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/497972/100/0/threaded http://www.securityfocus.com/bid/31916 http://securityreason.com/securityalert/4542 http://xforce.iss.net/xforce/xfdb/46119 I see no point in keeping this bug private. The CVE is public, and it does not look as though Sun has addressed it (or if they have, they haven't mentioned it).