Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
MS02-013: Java Applet Can Redirect Browser Traffic
Article ID: 300845 - View products that this article applies to.
This article was previously published under Q300845
NoticeThe Microsoft virtual machine (Microsoft VM) update that was previously listed in this article is no longer available. For more information, visit the following Microsoft Web pages:
A session hijacking vulnerability exists in the Microsoft virtual machine (Microsoft VM) that could allow a maliciously crafted Java applet to silently reroute all browser traffic to the host of the applet without the knowledge of the user. After an attacker possesses the rerouted browser traffic, he or she could take any action or any combination of actions that he or she chooses, including the following:
A malicious applet that tries to exploit this vulnerability would be active until the user quits all instances of Internet Explorer that are open.
This vulnerability can only be exploited if Microsoft Internet Explorer is configured to access Internet resources through a proxy server. Users whose browsers are not configured to use a proxy server are not at risk from this vulnerability.
If an attack that exploits this vulnerability captures any secure HTTP (HTTPS) traffic, the HTTPS traffic cannot be read in plain text because HTTPS is encrypted by using Secure Sockets Layer (SSL). Therefore, user names and passwords that are sent by using HTTPS are much less vulnerable than information that is sent in plain text by using HTTP.
This vulnerability occurs because of how certain requests for proxy service in Java are handled. When you configure Internet Explorer to use proxy services, a particularly crafted Java program (sometimes called an applet) could exploit this vulnerability to forward browser traffic.
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft virtual machine. This problem was first corrected in Windows 2000 Service Pack 3.
To determine the Microsoft VM build number on a computer that is running Windows 98, Windows 98 Second Edition (SE), or Windows Millennium Edition (Me), follow these steps:
For more information about this vulnerability, visit the following Microsoft Web sites:
http://www.microsoft.com/technet/security/bulletin/ms02-013.mspxFor additional information about the Microsoft virtual machine, click the article number below to view the article in the Microsoft Knowledge Base:
169803For support information about Visual J++ and the SDK for Java, visit the following Microsoft Web site:
(http://support.microsoft.com/kb/169803/EN-US/ )INFO: Historical List of Shipping Vehicles for Microsoft VM
Article ID: 300845 - Last Review: June 30, 2009 - Revision: 10.0