X
Tech
Home Tech Security

Alert! New security attack via Java applet

Microsoft Corp. has identified a serious vulnerability associated with the Microsoft Virtual Machine. This security slip-up could allow a malicious Web site operator to take any action on your PC that you could.
Written by Victor Latona, Contributor
Don't get the Java jitters. Protect your PC with the latest security fix from Microsoft.

Redmond, WA., Microsoft Corp. has identified a serious vulnerability associated with the Microsoft Virtual Machine (Microsoft VM).

The Java connection
This security slip-up could allow a malicious Web site operator to take any action on your PC that you could. The security breach at hand results from a flaw in the functionality of the Microsoft VM with respect to the way it handles a digitally signed Java applet.

Under ideal conditions, a Java applet cannot use the functionality of an ActiveX control unless it is digitally signed and trusted. Due to a Microsoft oversight, a flaw resulted that would allow a malicious user to coax the VM into executing an ActiveX control that only a digitally signed applet should have access to.

Allow me
According to Microsoft, "it (this security flaw) would let him take any action on the machine that the user himself was capable of taking, such as creating, changing, or deleting data, sending data to or receiving data from a Web site, reformatting the hard drive, and so forth."

A malicious Webmaster could either host this Java applet on a Web site or send it as an HTML e-mail to get the desired effect. The fact that it can be sent as an HTML e-mail message increases the seriousness of this security flaw.

Microsoft has assured us that this is not a problem with an ActiveX control. Also, users with Active Scripting or Scripting of Java applets disabled in their IE security zone will not be affected by this type of attack.

Who's affected?
Even if you do not use Internet Explorer, you still may be affected by this vulnerability because Microsoft VM ships with several other Microsoft products such as Visual Studio. Users of IE 4.x or 5.x are surely affected.

To determine the build of your version of Microsoft VM:
1. On Windows NT or Windows 2000, choose "Start", then "Run", then type "CMD" and hit the enter key.
2. On Windows 95, 98, or Windows Me choose "Start", then "Run" then type "COMMAND" and hit the enter key.
3. At the command prompt, type "JVIEW" and hit the enter key.
4. The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.

Download Microsoft "VM ActiveX Component" Vulnerability Patch.

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

windows-11-laptop

Microsoft is now showing ads in Windows 11's Start menu. Here's how to block them

Placeholder product image alt text

The best AI image generators to try right now