MS Java VM Exposes User Files

 
MS Java VM Exposes User Files

Reported Feburary 18, 2000 by Hideo Nakamura
VERSIONS AFFECTED
Microsoft Java VM, all builds in the 2000,3100,and 3200 series

DESCRIPTION

According to Microsoft"s bulletin, "The version of the Microsoft VM that ships with Microsoft Internet Explorer \[IE\] 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read - but not change, delete or add - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet. The malicious user would need to know the exactly path and filename of the files he wished to read."

Keep in mind that Microsoft"s Java VM ships with other products as well. So even if you do not have IE installed you may in fact have the Java VM installed anyway.

VENDOR RESPONSE

Microsoft has issued a new Java VMs as well as a FAQ regarding this matter. No Support Online article was available at the time of this writing.

New versions of the Microsoft VM that include a fix for the vulnerability can be downloaded from the following locations:

CREDITS
Discovered by Hideo Nakamura

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish