Microsoft KB Archive/244283

= MS99-045: Bypassing Java Sandbox with Program Results in VM Security Vulnerability =

Article ID: 244283

Article Last Modified on 11/1/2006

-

APPLIES TO

 Microsoft Java Virtual Machine, when used with:  Microsoft Windows XP Professional

 Microsoft Windows Millennium Edition

 Microsoft Windows 2000 Standard Edition

 Microsoft Windows NT 4.0</li></ul>

 Microsoft Windows 98 Second Edition</li></ul>

 Microsoft Windows 98 Standard Edition</li></ul>

 Microsoft Windows 95</li></ul> </li></ul>

-

<div class="notice_section">

This article was previously published under Q244283

<div class="symptoms_section">

SYMPTOMS
When you manually construct a Java program by using a Java bytecodes assembler to operate outside the bounds that are set by the sandbox (the security scheme for Java programs), it may be possible for the program to exploit a security vulnerability in the Microsoft virtual machine (Microsoft VM).

If the program is hosted on a Web site, it may be possible to run a program or perform certain tasks on the computer of a visiting user that the user does not authorize. This may include the following tasks:
 * Create a file.
 * Delete a file.
 * Modify a file.
 * Send data to a Web site.
 * Receive data from a Web site.
 * Reformat the hard disk.

<div class="resolution_section">

RESOLUTION
To resolve this problem, apply the "Security Update, March 4, 2002" from the Critical Updates section of the following Microsoft Web site:

Welcome to Windows Update

http://windowsupdate.microsoft.com/

NOTE: This critical update upgrades your Microsoft VM to version 3805 and is only available if you have an affected version of the Microsoft VM installed. All builds of the Microsoft VM up to and including build 3802 are affected.

NOTE: Build 3805 also corrects the following security vulnerability:

300845 MS02-013: Java Applet Can Redirect Browser Traffic

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft virtual machine.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, refer to the following Microsoft Web sites:

http://www.microsoft.com/technet/security/bulletin/ms02-013.mspx

http://www.microsoft.com/technet/security/bulletin/ms99-045.mspx

For additional information about the Microsoft virtual machine, click the article number below to view the article in the Microsoft Knowledge Base:

169803 INFO: Historical List of Shipping Vehicles for Microsoft VM

For support information about Visual J++ and the SDK for Java, visit the following Microsoft Web site:

http://www.microsoft.com/java

Additional query words: security_patch applet

Keywords: kbbug kbfix kbsecurity kbsecvulnerability KB244283

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.