[ISN] Microsoft Warns of Java Security Hole in Windows

From: InfoSec News (isnat_private)
Date: Wed Mar 20 2002 - 00:53:38 PST

  • Next message: InfoSec News: "[ISN] Best place for a break-in? The front door"

    [Is it just me, or does it seem very quiet about Microsoft's
    stand-down for the month learning about security? & why hasn't anyone
    at Redmond invited any of the IT & IS journalists to sit in on this
    security training?   - WK]
    March 19, 2002 08:35 PM ET 
    SAN FRANCISCO (Reuters) - Microsoft Corp. has released a bulletin
    advising of a second vulnerability in software that allows Windows
    users to run programs written in Java, a Microsoft program manager
    said on Tuesday.
    Microsoft and Sun Microsystems Inc., creator of the Java programming
    language, released a joint bulletin about the first vulnerability
    affecting the Java Virtual Machine code on March 4. They released a
    subsequent bulletin on Monday, according to Christopher Budd, security
    program at the Microsoft Security Response Center.
    Both vulnerabilities were rated "critical" because of the harm they
    could cause, however there have been no known attempts to exploit the
    vulnerabilities, he said.
    An update to Microsoft's Java Virtual Machine released on March 4
    fixes both vulnerabilities, Budd added.
    The first vulnerability could allow a malicious Java applet on a Web
    site to monitor a visitor's Web surfing until the browser window is
    closed. The second vulnerability would allow a malicious Java program
    to run outside a restricted area on a users' computer.
    Users are only at risk if they go through a proxy server to access Web
    sites as is common in corporations but not homes. Proxy servers are
    commonly used to cache content on frequently accessed Web sites,
    housing it on a server closer to the end user so that the downloading
    is faster.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 04:38:37 PST