Security Home > Internet Explorer > Java Software

Java VM Applet Vulnerability

A security vulnerability exists in the Microsoft® virtual machine (Microsoft VM). If a malicious web site operator were able to coax a user into visiting his site, the vulnerability could allow him to masquerade as the user, visit other sites using his identity, and relay the information back to his site.

Issue

The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft Windows® 95, 98, or Windows NT®, or Windows 2000. It ships as part of each operating system, and also as part of Microsoft Internet Explorer. The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox.

By design, an applet should only be able to communicate with the web site that hosted it. However, this vulnerability would allow an applet to bypass this restriction. If a user visited a web site operated by a malicious user, the site could start an applet that would be able to establish a connection with another web site and forward any information from the web session to the malicious user's site.

The session would be established in the guise of the visiting user, rather than that of the malicious user. Thus, the vulnerability could be used to access an intranet site located behind a firewall, access information in the guise of the user, and relay it to the malicious user. The only prerequisite is that the malicious user would need to know or guess the name of the intranet site. Although the applet would be able to make use of the user's credentials to authenticate to the site, this vulnerability would not provide a way to compromise them.

Affected Products

  • Microsoft VM builds 2000, 3100, 3200 and 3300.

Download

Patch: http://www.microsoft.com/java/vm/dl_vm40.htm

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: April 21, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<

More Guides » Registry Guide Support Forums Software Guide Scripting Guide Search