Bypassing Java Sandbox with Program Results in VM Security Vulnerability

ID: Q244283

The information in this article applies to:
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows NT Server, Enterprise Edition version 4.0
  • Microsoft BackOffice Server versions 4.0, 4.5
  • Microsoft BackOffice Small Business Server versions 4.0, 4.5

SYMPTOMS

When a Java program is constructed by hand using a Java bytecodes assembler to operate outside the bounds set by the sandbox (the security scheme for Java programs), it may be possible for the program to exploit a security vulnerability in the Microsoft Virtual Machine (VM). If the program is hosted on a Web site, it may be possible to run a program or perform certain tasks on the computer of a visiting user that the user does not authorize. This may include creating, deleting, or modifying files, sending data to or receiving data from a Web site, or reformatting the hard disk.

The following builds of the Microsoft VM are affected:

  • All builds in the 2000 series.


  • All builds in the 3000 series earlier than, but not including, build 3188.



RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
This hotfix has been posted to the following Microsoft Web site:
http://www.microsoft.com/java/vm/dl_vm32.htm


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.


MORE INFORMATION

For related information about this problem, please visit the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/ms99-045.asp
For additional security-related information about Microsoft products, please visit the following Microsoft Web site:
http://www.microsoft.com/security/

Additional query words: applet

Keywords : win95 ntsecurity win98 kbbug4.00 kbfix4.00
Version : WINDOWS:95; winnt:4.0,4.5
Platform : WINDOWS winnt
Issue type : kbbug


Last Reviewed: October 25, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.