Article 2018 of comp.lang.java.security:
In message <5c3bfd$1u4@ratty.wolfe.net>
        Paul Phillips <paulp@go2net.com> writes: 
[...]
> If there's one thing I've learned from this, it's that one must
> never bring up Java without anticipating the comparisons to ActiveX.
> If the taste testers said "Pepsi is too sweet!" and the Pepsi 
> supporters said "What about Coke? Have you tried Coke? Coke is too
> sweet AND it melts your teeth!" then the taste testers would realize
> they should have said "Today, I'm addressing Pepsi.  Tomorrow, Coke.
> But can we please talk about Pepsi for a few minutes?"

I know exactly how you feel. Here's something I wrote in c.l.j.advocacy:

# [Gordan McMillan wrote:]
# > You say you're attacking ActiveX, but I don't hear anything about 
the danger
# > of signed JAR files or the dangers inherent in Netscape Plugins.
#
# Am I supposed to say everything in one article? Be patient; I'll 
get to those.

Incidentally, everything you wrote in your article is feasible. The only
caveat I'd point out is that I don't think web servers would work very
well as a vector for the infection (compared to other possible attacks),
because the server maintainers would probably be able to discover and fix
the changes before very many clients were infected.

There are lots of other fun things you can do, though - see the article
'Active email and news' a few weeks ago on c.l.j.security (best viewed with
Netscape News, if it hasn't expired on your server yet). The article ID
is <random-junk235871386@hopwood.zetnet.co.uk>

David Hopwood
david.hopwood@lmh.ox.ac.uk, hopwood@zetnet.co.uk