On Tue, Jun 18, 2013 at 11:29 PM, Dhiru Kholia dhiru.kholia@gmail.com wrote:
Some recent news,
http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/
"The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system," said Ross Barrett, senior manager of security engineering at Rapid7.
I can see how a vulnerability in Java running in user space can cause all sorts of problems for the user, but unless someone is running a browser as superuser, how can it possibly take "complete control of the underlying operating system"? Surely that would require a privilege escalation vulnerability in the kernel or a setuid program, and such a vulnerability is the fault of that package, not of Java.
Eric