Malicious Java Applet May Be Able to Read, Write, or Delete Files on the Computer of a Web Site Visitor

• Microsoft Internet Explorer versions 4.01 Service Pack 2, 5 for Windows 98
• Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows NT 4.0
• Microsoft Internet Explorer versions 4.0, 4.01, 4.01 Service Pack 1, 4.01 Service Pack 2, 5 for Windows 95
• Microsoft Windows 98
• Microsoft Windows 98 Second Edition

SYMPTOMS

A scenario has been identified through which a Java applet can operate outside the bounds set by the sandbox and perform normally unauthorized functions on your computer. Exploiting the vulnerability is only possible through a very carefully managed series of steps, and cannot happen accidentally. However, if a malicious Web site operator hosts a Java applet that exploits this security vulnerability, it could read, write, or delete files on your computer when you visit the site.

RESOLUTION

A supported fix that corrects this problem has been posted to the following Internet location:

http://www.microsoft.com/java/vm/dl_vm40.htm

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article. This problem has been corrected in build 3234 of the Microsoft Virtual Machine (VM) that is included with Internet Explorer version 5.01.

NOTE: JVIEW in Windows 2000 displays the build number as 3229.

MORE INFORMATION

For more information, please see the following Microsoft Security Bulletin:

http://www.microsoft.com/security/bulletins/ms99-031faq.asp

http://www.microsoft.com/security/

Additional query words: ie Patch Available for "Virtual Machine Sandbox" Vulnerability

Keywords : msiew95 msient msiew98
Version : WINDOWS:4.0,4.01,4.01 Service Pack 1,4.01 Service Pack 2,5
Platform : WINDOWS
Issue type : kbbug