Microsoft's Java VM Exposes User Credentials

 

Reported August 21, 2000 by
Microsoft

VERSIONS AFFECTED
  • Microsoft Java VM Series 2000, 3100, 3200, 3300 (installed with Internet Explorer 4.x and 5.x)

DESCRIPTION

By design, the browser-based Java VM runs untrusted Java applets within a security sandbox that restricts the applet's access to user's system. However, a flaw in the sandbox design could allow a Web site operator to use a visiting user's credentials to gain access to protected data.  

VENDOR RESPONSE

Microsoft has released FAQ #FQ00-059, Support Online article Q271752, and patches for the affect versions.

To determine your Java VM version open a command window and enter the command "jview", which will display the version number.

According to Microsoft's bulletin,

CREDIT
Discovered by Microsoft

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish