Date: Tue, 6 Apr 1999 16:32:21 -0400 (EDT) From: "Viren R. Shah" <viren@rstcorp.com> To: Jeff Dalton <jeff@aiai.ed.ac.uk> Cc: FreeBSD-java@freebsd.org Subject: Re: Fwd: New Hole in Java 2 (fwd) Message-ID: <199904062032.QAA24235@jabberwock.rstcorp.com> In-Reply-To: <22035.199904061724@todday> References: <22035.199904061724@todday>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Jeff" == Jeff Dalton <jeff@aiai.ed.ac.uk> writes: Jeff> Is it really the case that the attacker can seize control of a Unix Jeff> machine (such as a PC running FreeBSD) and "do whatever he wants", Jeff> which seems to imply that he can become root? Or can he only do Jeff> whatever he wants provided it's something "nobody" is able to do? It is basically a simple (though laughable) flaw in the bytecode verifier (that should be pretty easy to fix), and will allow the attacker to obtain the priviledges of the uid that the VM process is running as -- so unless you are browsing as root (at which point you deserve what you get), the attacker will not get root through this particular VM flaw. [Once he has access to your account, there are other ways to get root] Jeff> -- jeff Viren -- Viren R. Shah | viren@rstcorp.com Research Associate | viren@viren.org Reliable Software Technologies | http://www.rstcorp.com/~vshah To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-java" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904062032.QAA24235>