There is vulnerability in Java Web Start. Already there is some vulnerability posted for persistenceservice service of java web start. But in Basicservice also we can run any file on the client using showDocument method. Just give the URL of file on client computer. If the browser has software attached to run that filetype it will be run automatically without user knowledge.