MS Java VM Exposes User Files
Reported Feburary 18, 2000 by Hideo Nakamura
According to Microsoft"s bulletin, "The version of the Microsoft VM that ships with Microsoft Internet Explorer \[IE\] 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read - but not change, delete or add - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet. The malicious user would need to know the exactly path and filename of the files he wished to read."
Keep in mind that Microsoft"s Java VM ships with other products as well. So even if you do not have IE installed you may in fact have the Java VM installed anyway.
New versions of the Microsoft VM that include a fix for the vulnerability can be downloaded from the following locations: