This is a short blog post about what could have happened if a malicious user had exploited the issues I found.
If someone has read the post about Java DNS Rebinding and Java applet same IP Host Access probably has come to the same conclusion of what I am going to describe in the next few lines which can be summarized like this:
Consider the following points:
Suppose now that evil.tld server hosts a page which forces a DNS Rebinding to google.com IP. Then if a user visits that page, Java VM applet sandbox will think that google.com and evil.tld share the same IP.
According to Java Same IP Origin Policy it will be possible from then to read google.com pages.
Extend the attack to any possible host. And you'll see the extent of the issue.
Now, someone could say DNS Rebinding is difficult to implement.Yes, Could be.
Considering that Xss are still one of the most widespread vulnerabilities on the web (50% of world sites?), you'll got another picture.
Finally, a malicious page could use classical History steal or other logged in detection techniques to understand if the victim is logged to some site and you got the bigger attack flow.
This attack could have created a big internet (client side) mayhem.
This is fortunately no more feasible because I made responsible disclosure to Oracle and waited for 6 long months before disclosing all the 7 issues.
Now that Java update is out everybody is suggested to install it.
Oh, and if you don't really need Java I suggest you to uninstall it definitely...and that is the saddest thing.