Microsoft Warns of Java Security Hole in Windows

[InfoSec News <isn () c4i org>]

http://www.reuters.com/news_article.jhtml?type=technologynews&StoryID=719918

[Is it just me, or does it seem very quiet about Microsoft's
stand-down for the month learning about security? & why hasn't anyone
at Redmond invited any of the IT & IS journalists to sit in on this
security training?   - WK]

March 19, 2002 08:35 PM ET 

SAN FRANCISCO (Reuters) - Microsoft Corp. has released a bulletin
advising of a second vulnerability in software that allows Windows
users to run programs written in Java, a Microsoft program manager
said on Tuesday.

Microsoft and Sun Microsystems Inc., creator of the Java programming
language, released a joint bulletin about the first vulnerability
affecting the Java Virtual Machine code on March 4. They released a
subsequent bulletin on Monday, according to Christopher Budd, security
program at the Microsoft Security Response Center.

Both vulnerabilities were rated "critical" because of the harm they
could cause, however there have been no known attempts to exploit the
vulnerabilities, he said.

An update to Microsoft's Java Virtual Machine released on March 4
fixes both vulnerabilities, Budd added.

The first vulnerability could allow a malicious Java applet on a Web
site to monitor a visitor's Web surfing until the browser window is
closed. The second vulnerability would allow a malicious Java program
to run outside a restricted area on a users' computer.

Users are only at risk if they go through a proxy server to access Web
sites as is common in corporations but not homes. Proxy servers are
commonly used to cache content on frequently accessed Web sites,
housing it on a server closer to the end user so that the downloading
is faster.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.