I understand how a sandbox vulnerability could lead to malware being installed on the machine. But that malware still has to then exploit an OS-level security hole, right? The reports make it out that somehow the Java vulnerability allow complete take over of the machine. So I'm confused why the Win7, OSX, etc Access Control mechanism doesn't prevent the potential damage. Or is this specifically targeting users who for example are logged in as admin on a Win box and have explicit approval of system changes via ACL disabled?