SUMMARY

A number of known issues in Java support for Internet Explorer have now been corrected in the Internet Explorer 3.02 release. Please download this upgrade if you are experiencing any problems with Java support in Internet Explorer 3.0. To address the issues discussed below, ensure you have the latest build of the Microsoft Win32 virtual machine. For more information about obtaining the latest build, see the REFERENCES section of this article.

• Java Mischief Security Issue Identified.
  
  This security issue specifically affects the JVM and not the browser. Microsoft's current understanding of the problem is that when a user visits a malicious Web site, the site could download an image from another Web site such as an intranet that the user has permission to access without the user' knowledge or permission. The security problem could also be used to download an image file from the malicious site to the user's computer memory storage.
  
  The problem will be fixed in the final versions of the JVM that ships with Internet Explorer 4.0, and we plan to provide a fix for Internet Explorer 3.02 on Windows 95/NT 4.0 and Internet Explorer 3.02a on Windows 3.1/NT 3.51 as soon as possible. The fix will be available as an update to the JVM. For more information see the "New Java Mischief Security Problem" link on this page:

  http://www.microsoft.com/ie/security/.

• Java Applets hang Internet Explorer 3.02 after installing Windows NT version 4.0 Service Pack 3.
  
  Internet Explorer version 3.02 may hang when you are navigating to a page that contains a Java applet after installing Windows NT version 4.0 Service Pack 3. The hang only occurs if the Display Properties Color Palette is set to True Color. For more detailed information, please see the following article in the Microsoft Knowledge Base:

  168748 Java Applets Cause IE 3.02 to Stop Responding w/ SP3

• University of Washington bytecode verifier issue.
  
  Microsoft announced the immediate availability of an updated version of the Microsoft virtual machine. Researchers at the University of Washington recently notified Microsoft and other vendors of a set of anomalies in Microsoft virtual machines. These anomalies could potentially result in a security exposure for customers using Java applets, causing a system crash or lose data.
  
  The researchers with the Kimera Project in the Department of Computer Science and Engineering at the University of Washington have an automatic validation technology that allows them to quickly identify potential bugs in commercial Java implementations. The anomalies are in the bytecode "verifier", which enforces the security of the Java sandbox. There have been no known attacks that exploit these anomalies, but they could potentially be exploited by a malicious application to get access outside the sandbox. For more information on the University of Washington's Kimera Project, visit http://www.washington.edu/newsroom/news/k051997.html.
• Potential unauthorized access to networked services.
  
  An independent third party* has discovered a potential security issue with the current Microsoft virtual machine. The problem may be exposed when an applet exploits both a bug in a Java security class file and a certain configuration of the Internet Explorer 3.0 cache to allow the applet access to network facilities on the client computer. This attack has to be intentional, and is not guaranteed to be successful in gaining access to the network services.
  
  This problem only affects users who use the same machine to run network services, such as a mail server, and execute applets from unknown sources on the Internet. This will not affect users who run mail clients or network client applications only. Microsoft encourages users to be careful when accessing executable code of any form over the Internet, and advises caution when running network services on a machine that is used to browse applets from untrusted sources.
  
  
  • Microsoft thanks A.L. Digital Ltd, Ben Laurie, and Major Malfunction for reporting this problem.
• When not connected to an Internet Service Provider, applets hang during initialization.
• Using Visual Basic to instantiate a Java object with CreateObject() fails with the following message: "Runtime Error '430': Class doesn't support OLE Automation."
• Problems using breakpoints with Visual J++ Debugger when debugging Java classes.
  
  When debugging a Java class with breakpoints or single stepping, the symbols for java.lang.NoSuchFieldError and java.lang.LinkageError are loaded, followed by a first chance exception error. Then, the debugger loads the source code for Throwable.java. This occurs because the Microsoft virtual machine throws a NoSuchFieldError exception when it fails to find a hash value for a field by name and type.