MS warns of "critical" Java VM flaws

The critical flaws occur in the software giant's implementation of the Java Virtual Machine, which allows platform-independent programs to run on a PC.

"(The flaws) could enable an attacker to gain complete control over a user’s system," stated the . "This would enable the attacker to perform any operation that the user could, such as running applications; communicating with web sites; (and) adding, deleting or changing data."

An attacker could exploit the flaws by getting the victim to view a certain Web site with the code embedded in page. HTML e-mail could also be a danger, unless the recipient uses Outlook 2002, Outlook Express 6.0 or has installed the Outlook E-mail Security Update. Finally, those who used the Internet Explorer security settings to disable Java applets won't be affected by the vulnerabilities.

The first vulnerability is caused by a lack of vigilance of certain Java classes that handle database requests. While the classes do attempt to block illegal requests, the security measures can be bypassed, the advisory states.

A second flaw occurs in a Java class that’s provided to support the use of XML via Java, but allows all programs--not just a select few--to use the methods.

Microsoft has a patch posted on its site and linked from the advisory. Windows users can also get the patch through Windows Update.