Microsoft KB Archive/155479

= Microsoft Knowledge Base =

Java Security Issue Lets Web Sites Download Image & Class Files
Last reviewed: August 12, 1997

Article ID: Q155479



BETA INFORMATION BETA INFORMATION  BETA INFORMATION  BETA

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about obtaining support for a Beta release, please see the documentation included with the Beta product files, or check the Web location from which you downloaded the release.

BETA INFORMATION BETA INFORMATION  BETA INFORMATION  BETA

The information in this article applies to:


 * Microsoft Internet Explorer versions 3.0, 3.01, 3.02, 4.0 for Windows 95
 * Microsoft Internet Explorer versions 3.0, 3.01, 3.02, 4.0 for Windows NT 4.0
 * Microsoft Internet Explorer versions 3.0, 3.01, 3.02a, 4.0 for Windows 3.1

SYMPTOMS
When you visit a web site, the site can download an image file from another web site (such as an Intranet) that you have permission to access without you giving it permission to do so.

This web site can also run a Java program that loads Java classes (software that helps Java run) onto your computer from another web site (such as an Intranet). This violates one of the Java sandbox restrictions to the extent that it allows classes to be loaded from any host (web server). However, the other sandbox restrictions are still enforced. For example, the classes are not allowed to read from or write to your hard disk.

Please note that in order to take advantage of this situation, someone must know a great deal about the image or Java class they seek to download, including its exact Web location and file name. This security issue specifically affects the Microsoft Java Virtual Machine (JVM) and not the browser.

RESOLUTION
If you are concerned about this issue, you can temporarily work around this problem by disabling the ability of web sites to run Java programs on your computer. To do so:


 * 1) Go to Internet Explorer.
 * 2) On the View menu, click Options.
 * 3) Click the Security tab, click Enable Java Programs so that it is not selected, and then click OK.

Once Microsoft releases a fix, these steps will not be necessary.

STATUS
Microsoft plans to provide an update to the JVM as soon as possible for the following products:


 * Internet Explorer 3.02 for Windows 95
 * Internet Explorer 3.02 for Windows NT 4.0
 * Internet Explorer 3.02a for Windows 3.1
 * Internet Explorer 3.02a for Windows NT 3.51

NOTE: This problem will be fixed in the final versions of the JVM that ship with Internet Explorer 4.0.

You can obtain the latest Internet Explorer security information from the following Microsoft web site:

http://www.microsoft.com/ie/security/ NOTE: Because the Microsoft Web site is constantly updated, the site address may change without notice. If this occurs, link to the Microsoft home page at the following address:

http://www.microsoft.com/

MORE INFORMATION
If the default security settings are not changed, this information does not apply to Internet Explorer for Macintosh.