Redmond, WA., Microsoft Corp. has identified a serious vulnerability associated with the Microsoft Virtual Machine (Microsoft VM).
The Java connection
This security slip-up could allow a malicious Web site operator to take any action on your PC that you could. The security breach at hand results from a flaw in the functionality of the Microsoft VM with respect to the way it handles a digitally signed Java applet.
Under ideal conditions, a Java applet cannot use the functionality of an ActiveX control unless it is digitally signed and trusted. Due to a Microsoft oversight, a flaw resulted that would allow a malicious user to coax the VM into executing an ActiveX control that only a digitally signed applet should have access to.
According to Microsoft, "it (this security flaw) would let him take any action on the machine that the user himself was capable of taking, such as creating, changing, or deleting data, sending data to or receiving data from a Web site, reformatting the hard drive, and so forth."
A malicious Webmaster could either host this Java applet on a Web site or send it as an HTML e-mail to get the desired effect. The fact that it can be sent as an HTML e-mail message increases the seriousness of this security flaw.
Microsoft has assured us that this is not a problem with an ActiveX control. Also, users with Active Scripting or Scripting of Java applets disabled in their IE security zone will not be affected by this type of attack.
Even if you do not use Internet Explorer, you still may be affected by this vulnerability because Microsoft VM ships with several other Microsoft products such as Visual Studio. Users of IE 4.x or 5.x are surely affected.
To determine the build of your version of Microsoft VM:
1. On Windows NT or Windows 2000, choose "Start", then "Run", then type "CMD" and hit the enter key.
2. On Windows 95, 98, or Windows Me choose "Start", then "Run" then type "COMMAND" and hit the enter key.
3. At the command prompt, type "JVIEW" and hit the enter key.
4. The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.