HEADS UP!
MS warns of "critical" Java VM flaws
By Robert Lemos
Special to ZDNet News
September 19, 2002, 4:34 AM PT
zdnet.com.com
Microsoft released an advisory Wednesday night warning all users of its Windows operating system of two new critical flaws that could allow a malicious attacker to take control of a victim's PC.
The critical flaws occur in the software giant's implementation of the Java Virtual Machine, which allows platform-independent programs to run on a PC.
"(The flaws) could enable an attacker to gain complete control over a user’s system," stated the advisory. "This would enable the attacker to perform any operation that the user could, such as running applications; communicating with web sites; (and) adding, deleting or changing data."
An attacker could exploit the flaws by getting the victim to view a certain Web site with the code embedded in page. HTML e-mail could also be a danger, unless the recipient uses Outlook 2002, Outlook Express 6.0 or has installed the Outlook E-mail Security Update. Finally, those who used the Internet Explorer security settings to disable Java applets won't be affected by the vulnerabilities.
The first vulnerability is caused by a lack of vigilance of certain Java classes that handle database requests. While the classes do attempt to block illegal requests, the security measures can be bypassed, the advisory states.
A second flaw occurs in a Java class that’s provided to support the use of XML via Java, but allows all programs--not just a select few--to use the methods.
Microsoft has a patch posted on its site and linked from the advisory. Windows users can also get the patch through Windows Update. |
