Subj : Java Security Hole
To   : All
From : Sean Dennis
Date : Tue Mar 05 2002 01:11 am

=== Cut ===
From:

http://www.infoworld.com/articles/hn/xml/02/03/04/020304hnmsflaw.xml?0305tuam

Microsoft uncovers critical Java hole

By Ashlee Vance
March 4, 2002 4:56 pm PT


 SAN FRANCISCO - Microsoft issued a "critical" security alert Monday for its
Java virtual machine (JVM), saying a flaw in the product could let hackers view
users' information while they surf the Web.

Microsoft is one of several vendors that make a JVM, a software program that
allows applications written in Java to run on any computer regardless of its
operating system. The company has included its JVM with Windows 98, Windows ME
and Windows 2000, as well as its Internet Explorer browser up to version 5.5.

The flaw in the JVM makes it possible for a hacker to view user information as
it passes through a proxy server. Businesses often set up proxy servers to act
as gateways for their employees' Internet traffic, sometimes because it makes
it easier for an administrator to block workers from reaching certain Web
sites.

To exploit the weakness in the JVM, a hacker would need to lure users to a Web
site where he or she had planted a malicious Java applet. When a user
unwittingly collected the applet, the hacker would be able to see information
about that user as it travelled across the proxy server, Microsoft said.

"It is almost like the applet sits and listens to the traffic that is going
by," said Christopher Budd, security program manager with Microsoft's security
response center. "It is possible for this to scoop up information."

Until the user closed the browser, the hacker would be able to record the Web
sites visited by the user and even information entered at a Web page. However,
the common SSL (secure socket layer) security technology employed by many Web
sites would prevent encrypted information from being exposed, according to
Budd.

In addition, most home users do not pass through a proxy server when accessing
the Web, which means they should not be affected by the vulnerability.

Microsoft released an update to its JVM this afternoon which fixes the flaw,
along with a handful of previously identified holes, Budd said. It is also
working to update the JVM it makes available for download for the Windows XP
operating system.

Following a legal dispute with Java creator Sun Microsystems, Microsoft chose
not to include a JVM with Windows XP, but computer makers such as Dell Computer
and Compaq Computer preload the software for users on new machines.

The flaw could be present in JVMs from other companies besides Microsoft, and
other companies may release updates to their JVMs in the coming days, according
to Budd. Microsoft has worked closely with Sun to fix the flaw, he said.


Ashlee Vance is a San Francisco-based reporter at IDG News Service, an
InfoWorld affiliate.
=== Cut ===


Later,
Sean

=====================================================================
hausmaus@midnightshour.org | http://midnightshour.org | ICQ: 19965647
=====================================================================
.... "Bother," said Pooh, as @FIRST@ ran to him with his pants down.
--- Midnight's Hour Local Console
 * Origin: Midnight's Hour BBS - Carbondale, IL - 618-529-3176 (1:11/200)

.