Help and Support

FIX: Java Security Issue Allows Access to ActiveX Controls

View products that this article applies to.
Article ID:275609
Last Review:June 14, 2006
Revision:6.0
This article was previously published under Q275609

SYMPTOMS

The Microsoft virtual machine (Microsoft VM) includes a security vulnerability that may allow script code in a Web page or HTML-based e-mail message access to ActiveX controls that should not be available in those contexts. This vulnerability can give malicious script code access to any ActiveX controls that are installed on the visiting user's computer. The ActiveX controls could then give the malicious script complete control over the visiting user's computer, including the ability to read and write files on the local hard drive.

This affects the following builds of the Microsoft VM:
All builds in the 2000 series.
All builds in the 3100 series.
All builds in the 3200 series.
All builds in the 3300 series.

Back to the top

CAUSE

The vulnerability is caused by a flaw in a security check that is intended to prevent the com.ms.activeX.ActiveXComponent system class from being used as an applet. This system class, which is provided with the Microsoft VM, is intended for use only in applications or by signed and trusted applets.

Back to the top

RESOLUTION

To resolve this issue, install the latest build (3802) of the Microsoft VM.

WARNING: After you install the updated Microsoft VM, you cannot uninstall it.

Upgrade to the latest Microsoft VM build. For more information, visit the following Microsoft Web site:
http://www.microsoft.com/mscorp/java/ (http://www.microsoft.com/mscorp/java/)

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Back to the top

REFERENCES

For more information, please see Microsoft Security Bulletin MS00-075 at the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx (http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx)

For additional security-related information about Microsoft products, please refer to the following Microsoft Web site:
http://www.microsoft.com/technet/security/ (http://www.microsoft.com/technet/security/)
For support information about Visual J++ and the SDK for Java, visit the following Microsoft Web site:
http://www.microsoft.com/java (http://www.microsoft.com/java)

Back to the top

APPLIES TO
Microsoft Java Virtual Machine
Microsoft Internet Explorer 3.0
Microsoft Internet Explorer 3.01
Microsoft Internet Explorer 3.02
Microsoft Internet Explorer 4.0 128-Bit Edition
Microsoft Internet Explorer 4.01 Service Pack 2
Microsoft Internet Explorer 4.01 Service Pack 1
Microsoft Internet Explorer 5.0
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer (Programming) 5.01 SP1
Microsoft Internet Explorer 5.5

Back to the top

Keywords: 
kbbug kbfix kbjavavm33xxfix kbsecbulletin kbsecurity kbsecvulnerability KB275609

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.