Microsoft KB Archive/253562

From BetaArchive Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Article ID: 253562

Article Last Modified on 6/14/2006



APPLIES TO

  • Microsoft Java Virtual Machine
  • Microsoft Internet Explorer 4.0 128-Bit Edition
  • Microsoft Internet Explorer 4.01 Service Pack 2
  • Microsoft Internet Explorer 4.01 Service Pack 1
  • Microsoft Internet Explorer 4.01 Service Pack 2
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01



This article was previously published under Q253562

SYMPTOMS

The version of the Microsoft virtual machine (Microsoft VM) that is included with Microsoft Internet Explorer 4.x and Internet Explorer 5 and 5.01 contains a security vulnerability that could enable the operator of a malicious Web site to write a Java applet that could read, but not change, delete, or add, files on a visiting user's computer or read Web content from inside an intranet if the malicious site was visited by a computer from within that intranet. The malicious user would need to know the exact path and file name of the files he or she wanted to read.

CAUSE

This problem is due to the way the default system class path is set when the Microsoft VM is installed. Depending on the version of Internet Explorer installed, this can enable untrusted code to read files under the root directory (typically "C:\") or the desktop directory (typically %systemroot%\Profiles\User name\Desktop).

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack


To resolve this potential problem, you can also install build 3802 or later of the Microsoft VM from the following Microsoft Web site:

WARNING: After you install the updated Microsoft VM, you cannot uninstall it.

Perform the following steps to determine the build number of the Microsoft VM:

  • Open a Command window:


    • On Windows 2000 and Windows NT, click Start, click Run, type "cmd" (without the quotation marks), and then click OK.
    • On Windows 95 or Windows 98, click Start, click Run, type "command" (without the quotation marks), and then click OK.

At the Command prompt, type "jview" (without the quotation marks) and then press ENTER. The version information is at the right of the topmost line. It has a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.



STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 1. This problem was also corrected in Microsoft VM build 3802 or later.

MORE INFORMATION

For more information, please see the following Microsoft Security Bulletin:

For additional security-related information about Microsoft products, please refer to the following Microsoft Web site:

REFERENCES

For support information about Visual J++ and the SDK for Java, visit the following Microsoft Web site:

Keywords: kbbug kbfix kbwin2000sp1fix kbsecvulnerability kbsecurity kbsecbulletin KB253562