IcedTea6 prior to 1.7.4 does not properly check property access, which allows unsigned apps to read and write arbitrary files.
redhat icedtea6