The Microsoft VM is a virtual machine for the Win32operating environment. The Microsoft VM is shipped in most versions of Windows and in most versions of Microsoft Internet Explorer. A new security vulnerability has been reported that affects the ByteCode Verifier component of the Microsoft VM. It occurs because the ByteCode verifier does not correctly look for certain malicious code when a Java applet is being loaded. The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that would exploit this vulnerability when it was opened. An attacker could then host this malicious Web page on a Web site or could send it to a user in e-mail. The present Microsoft VM has been updated to include a fix for this newly reported security vulnerability. This version of VM includes all previously released fixes to the VM.
There are a number of workarounds that you may be able to apply temporarily while you evaluate and test the new Microsoft VM:
In an enterprise environment, you can use application filters at the firewall to examine and block mobile code.
You can use a later Microsoft e-mail client computer, such as a computer that is running Microsoft Outlook 2002 or Outlook Express 6. By default, the e-mail attack vector is prevented in later versions of Outlook. If you are using earlier Microsoft Outlook clients such as clients that are running Outlook 98 or 2000, the e-mail vector is blocked if the Outlook Email Security Update is used.
You can prevent Java applets from being run in the Internet Explorer Internet zone. Note that if you disable Java applets, your ability to view certain Web pages may be affected. To disable Java applets:
On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
In the Settings box, click Disable Java under Java Permissions, click OK, and then click OK again.