Microsoft Warns of JVM Vulnerability

By Peter Galli  |  Posted 2002-03-21 Print this article Print

Microsoft Corp. has updated an earlier critical security bulletin, warning all Windows users of another vulnerability with the code for its Java Virtual Machine.

Microsoft Corp. has updated an earlier critical security bulletin, warning all Windows users of another vulnerability with the code for its Java Virtual Machine. The bulletin said the latest vulnerability could allow a maliciously crafted Java applet to silently reroute all browser traffic to the applets host without the users knowledge.
This traffic could then be forwarded as normal, giving the user no clue that his traffic was being redirected. The malicious user could then capture the traffic and examine it for sensitive information, such as usernames, passwords or credit card numbers sent in clear text.
The attacker could also choose to handle the redirected traffic himself. Because the user would have no indication that his session had been redirected, this would allow the malicious user to "spoof" the users intended session. The malicious user could also simply discard the redirected traffic, creating a denial of service, said Microsoft, in Redmond, Wash. But this vulnerability can only be exploited if Internet Explorer is configured to access Internet resources via a proxy server, which executes Web requests on behalf of clients, rather than having the client execute the request on its own. Users whose browsers are not configured to use a proxy server are not at risk from this vulnerability, Microsoft said, but suggested that all Windows users upgrade, at, to the latest version of its VJM issued earlier this month and which fixes both this and the previous vulnerability. Related stories:
  • Microsoft Patches Critical Flaws
  • Microsoft: .Net Security Fears Unfounded
  • Microsoft Patch Repairs 6 IE Flaws
  • MSN Messenger Vulnerable to Hijacking
    Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

    He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

    He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

    He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

    He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

    He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

    His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

    For numerous examples of his writing you can search under his name at the eWEEK Website at


    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel