Microsoft Warns of JVM Vulnerability
Microsoft Corp. has updated an earlier critical security bulletin, warning all Windows users of another vulnerability with the code for its Java Virtual Machine.
The bulletin said the latest vulnerability could allow a maliciously crafted Java applet to silently reroute all browser traffic to the applets host without the users knowledge.
This traffic could then be forwarded as normal, giving the user no clue that his traffic was being redirected. The malicious user could then capture the traffic and examine it for sensitive information, such as usernames, passwords or credit card numbers sent in clear text.
The attacker could also choose to handle the redirected traffic himself. Because the user would have no indication that his session had been redirected, this would allow the malicious user to "spoof" the users intended session. The malicious user could also simply discard the redirected traffic, creating a denial of service, said Microsoft, in Redmond, Wash.
But this vulnerability can only be exploited if Internet Explorer is configured to access Internet resources via a proxy server, which executes Web requests on behalf of clients, rather than having the client execute the request on its own.
Users whose browsers are not configured to use a proxy server are not at risk from this vulnerability, Microsoft said, but suggested that all Windows users upgrade, at www.microsoft.com/java/vm/dl_vm40.htm, to the latest version of its VJM issued earlier this month and which fixes both this and the previous vulnerability.