CVE-2008-3638
Java on Apple Mac OS X 10.5.4 and 10.5.5 does not prevent applets from accessing file:// URLs, which allows remote attackers to execute arbitrary programs.
Date published : 2008-09-26
http://lists.apple.com/archives/security-announce//2008/Sep/msg00007.html