Java Security Issues Addressed in Internet Explorer 3.0

Last reviewed: September 29, 1997
Article ID: Q154559
The information in this article applies to:
  • Microsoft Internet Explorer version 3.0 for Windows 95

SUMMARY

With Microsoft Internet Explorer version 3.0, Microsoft has adhered to the Java security specification set forth by Sun Microsystems which dictates that Java programs run in what is known as a "sandbox." A "sandbox" is an area in memory outside of which the program cannot make calls. This prevents Java programs from being able to call low-level system functions that could cause data corruption or other damage.

Microsoft also includes code-signing detection in Internet Explorer that notifies the user whether the Java program was created by a trusted publisher and shows a warning message if the publisher is not trusted or if the program is not signed.

MORE INFORMATION

Code signing (as implemented with Authenticode) and the Java sandbox approach are two methods used to provide security in Internet Explorer.

Microsoft has the most secure sandbox available today in Internet Explorer 3.0, and will continue to add capabilities to it. However, as published reports in the last six months have shown, sandboxing by itself is inadequate to offer a satisfactory level of security. It is also unlikely that sandboxing will ever be able to offer a rich enough set of capabilities for many programs. For that reason, Microsoft offers Authenticode as an additional level of security. Authenticode provides users with accountability, because it positively identifies the publisher of a piece of code.

These two security methods augment each other. Some programs run fine within the robust sandbox provided in Internet Explorer, but signed code can be run with a higher degree of assurance, whether inside the sandbox or out. Users want their browsers to support both capabilities, and that is why Microsoft is including both in Internet Explorer.

Code signing is also an industry-wide initiative. Netscape and JavaSoft have publicly announced their intention to support it, and the World Wide Web Consortium is currently discussing a Microsoft code-signing submission.


KBCategory: kbref
KBSubcategory: msiew95
Additional reference words: 3.00 win95 ie3 ie30
Keywords : msiew95 kbfaq
Version : 3.00
Platform : WINDOWS
Issue type : kbinfo


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: September 29, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.