FIX: Untrusted Code Can Access Files on End-User Systems

Article translations Article translations
Article ID: 253562 - View products that this article applies to.
This article was previously published under Q253562
Notice
The Microsoft virtual machine (Microsoft VM) update that was previously listed in this article is no longer available. For more information, visit the following Microsoft Web pages:
http://www.microsoft.com/mscorp/java/default.mspx
http://support.microsoft.com/gp/lifean12
Expand all | Collapse all

SYMPTOMS

The version of the Microsoft virtual machine (Microsoft VM) that is included with Microsoft Internet Explorer 4.x and Internet Explorer 5 and 5.01 contains a security vulnerability that could enable the operator of a malicious Web site to write a Java applet that could read, but not change, delete, or add, files on a visiting user's computer or read Web content from inside an intranet if the malicious site was visited by a computer from within that intranet. The malicious user would need to know the exact path and file name of the files he or she wanted to read.

CAUSE

This problem is due to the way the default system class path is set when the Microsoft VM is installed. Depending on the version of Internet Explorer installed, this can enable untrusted code to read files under the root directory (typically "C:\") or the desktop directory (typically %systemroot%\Profiles\User name\Desktop).

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 1. This problem was also corrected in Microsoft VM build 3802 or later.

MORE INFORMATION

For more information, please see the following Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms00-011.mspx
For additional security-related information about Microsoft products, please refer to the following Microsoft Web site:
http://www.microsoft.com/technet/security/

REFERENCES

For support information about Visual J++ and the SDK for Java, visit the following Microsoft Web site:
http://www.microsoft.com/java

Properties

Article ID: 253562 - Last Review: June 30, 2009 - Revision: 7.0
APPLIES TO
  • Microsoft Java Virtual Machine
  • Microsoft Internet Explorer 4.0 128-Bit Edition
  • Microsoft Internet Explorer 4.01 Service Pack 2
  • Microsoft Internet Explorer 4.01 Service Pack 1
  • Microsoft Internet Explorer 4.01 Service Pack 2
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01
Keywords: 
kbbug kbfix kbsecbulletin kbsecurity kbsecvulnerability kbwin2000sp1fix KB253562

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com