There's a flaw in my VM

By Alun Williams

Posted on 19 Sep 2002 at 12:49

Microsoft patches a security hole in its Java support program, common to Windows and IE.

The danger is than an attacker could engineer particular Web pages - or email HTML - to exploit gaps in Microsoft's Virtual Machine (VM). This is a program for implementing standard Java functionality on particular platforms including Windows and Internet Explorer.

Specifically, Microsoft Security Bulletin MS02-052 reports a flaw in Microsoft VM JDBC classes that could allow malicious execution of code by an attacker. The flaw has a severity rating of 'critical'.

There are three particular vulnerabilities. Because of the way JDBC classes handle a request to execute a DLL on your machine it is possible for an attacker to gain control of your system.

A second vulnerability could enable an attacker to supply invalid data that causes Internet Explorer to crash. (There is also a theoretical possibility the flaw could enable an attacker to run code within the security context of the user.)

Finally, there is another means by which an attacker can gain control over your system. It relates to the handling of XML by Java code. The XML-related class exposes methods to be used only by trusted users, but the VM does not always correctly differentiate.

A patch is now available from Microsoft's Windows Update service.

JDBC (Java Database Connectivity) is a standard for Java programs to access relational databases, such as Microsoft SQL Server and Oracle9i.