Article 962 of comp.lang.java.security:

I have found and verified a security hole in the current implementation of
Java. This hole exists under Netscape version 3 and below.  I have been in
contact with both Sun and Netscape and they are working the problem.

In most Java implementations, security policy forbids applets from reading
the local directory structure. I have discovered that it is possible
for an applet, using only Java, to determine if specified files exist on
the file system of the client machine. The applet I have prototyped cannot
read or write to the file, but it can detect its presence. My applet is
then free to surreptitiously Email the result of the file search to any
machine on the Internet, for example MarketResearch@microsoft.com.

I have a web page dealing with this hole in a bit more detail at :

http://www.nyx.net/~jbuzbee/hole.html

I am not yet releasing the applet in any form, but I will do so in the
future when both Sun and Netscape have had a chance to correct the behavior.
 

Jim Buzbee

-- 
--------------------------------------------------------------------------------
Jim Buzbee                                |  "I was gratified to be able to 
jbuzbee@nyx.net                           |  answer promptly, and I did. I
http://www.nyx.net/~jbuzbee/bat_house.html|  said I didn't know."   Mark Twain