[Tarilo]

This is exactly why everyone on the internet keeps saying that you shouldn't automatically run Java applets or shouldn't have Java installed at all on your computer.

Java is just such a big target for hackers nowadays, that there will always be zero-days.

[teraflop]

The funny thing is, this particular attack doesn't even involve a Java vulnerability. You have to either specifically grant the applet elevated permissions (giving it full access to your computer) or download and run something that claims to be a "Java updater" from the "g2f.nl" domain.

[tocomment]

What I'm not getting is how a running executable can log into a website and initiate a transaction. It won't have your password right? Or is it just a keylogger to catch your password?

[dariopy]

Like your regular XSRF, it relies on the user already being logged in some browser tab.

It probabley has a keylogger too.

[chii]

the lesson is that the weakest link in a computer system is the human.

[easytiger]

zero day exploits are not logically inevitable but statistically likely, is what you meant to say i believe. It is also not proven that thats what this is. He could just have easily given it manual permission to access his filesystem/whatever.