Critical Java flaws revealed

• Tags:
• JVM,
• Security Flaw,
• Advisory,
• Patch

Published: 19 Sep 2002 12:36 BST

• 
• 
• 
• 
• 

Microsoft released an advisory on Wednesday night warning all users of its Windows operating system of two new critical flaws that could allow a malicious attacker to take control of a victim's PC. The advisory can be found on Microsoft's Web site.

The critical flaws occur in the software giant's implementation of the Java Virtual Machine, which allows platform-independent programs to run on a PC.

"(The flaws) could enable an attacker to gain complete control over a user's system," stated the advisory. "This would enable the attacker to perform any operation that the user could, such as running applications; communicating with web sites; (and) adding, deleting or changing data."

An attacker could exploit the flaws by getting the victim to view a certain Web site with the code embedded in page. HTML email could also be a danger, unless the recipient uses Outlook 2002, Outlook Express 6.0 or has installed the Outlook Email Security Update. Finally, those who used the Internet Explorer security settings to disable Java applets won't be affected by the vulnerabilities.

The first vulnerability is caused by a lack of vigilance of certain Java classes that handle database requests. While the classes do attempt to block illegal requests, the security measures can be bypassed, the advisory states.

A second flaw occurs in a Java class that's provided to support the use of XML via Java, but allows all programs -- not just a select few -- to use the methods.

Microsoft has a patch posted on its site and linked from the advisory. Windows users can also get the patch through Windows Update.

---

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed

• Most Recent
• Most Popular