Unsigned apps can read/write system properties.
This issue affected the versions of the java-1.6.0-openjdk package, as shipped with Fedora release of 12 and 13, it is fixed with IcedTea6 1.8.1 [1,2]. [1] https://admin.fedoraproject.org/updates/java-1.6.0-openjdk [2] http://blog.fuseyism.com/index.php/2010/07/28/icedtea6-181-released/ -- Statement: This issue does not affect the version of the java-1.6.0-openjdk package, as shipped with Red Hat Enterprise Linux 5.
This issue has not been fully resolved, re-opening.
After some clarification, it turns out that the issue is resolved and has been backported to 1.7.4.
That clarification would be the upstream notification that 1.7.4 corrects these flaws: http://blog.fuseyism.com/index.php/2010/07/28/icedtea6-174-released/