Core Security Patterns: Best Practices and Strategies for J2EE ~ Ramesh Nagappan
Java Security ~ Scott Oaks
It appears that the flaw in the Java Web Start framework affects Linux machines just as much as Windows machines.But you would have to have somehow get a 'bad VM' on the target system in order to make this work. Since people (smart people anyway) don't surf the web from their server boxes, the hacker would have to have some way to get the poisoned VM on the server. And I guess I'm not clear how Java Web Start would be started on a server.The issue affects all versions since Java SE 6 update 10. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.
But you would have to have somehow get a 'bad VM'...I've read somewhere else, ZDnet I think, that people are using UNC paths to download a bad vm on the fly, like this: