PROBLEM:
A security vulnerability in the Microsoft(r) Virtual Machine could allow a Java Applet to take unauthorized actions on the computer of a user visiting a malicious website.

PLATFORM:
Microsoft Windows 95/98 and NT 4.0 Workstation and Server

DAMAGE:
The web-hosted Java Applet could take unauthorized actions against a user visiting the site. These actions could include creating, deleting, or modifying files, sending or receiving data from a web site, or reformatting a hard drive.

SOLUTION:
Apply the patch.

VULNERABILITY
The risk is low. A user would have to visit a web site and view a page constructed to exploit this vulnerability.

Summary
Microsoft has released a new version of the Microsoft(r) virtual machine
(Microsoft VM) that  eliminates a security vulnerability that could allow a
Java applet to take unauthorized actions  on the computer of a web site
visitor. Although no standard Java compiler can generate such an  applet, a Java applet constructed by hand with a Java bytecode assembler could bypass the sandbox  and take virtually any action on the computer that the user would be capable of taking.

Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-045faq.asp

Issue
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop  Microsoft Windows(r) 95, 98 or Windows NT(r). It ships as part of each operating system, and also  as part of Microsoft
Internet Explorer.

The version of the Microsoft VM that ships with Microsoft Internet Explorer
4.0 and Internet  Explorer 5.0 contains a security vulnerability in the
bytecode verifier that could allow a Java  applet to operate outside the
bounds set by the sandbox. If hosted on a web site, it could cause  any
action to be taken on the computer of a visiting user that the user himself
could take. This  could include, for example, creating, deleting or
modifying files, sending data to or receiving  data from a web site, or
reformatting the hard drive.

Affected Software Versions
Versions of the Microsoft VM are identified by build numbers, which can be
determined using the  JVIEW tool, as discussed in the FAQ. The following
builds of the Microsoft VM are affected:
All builds in the 2000 series
All builds in the 3000 series prior to but not including build 3188

NOTE:
The Microsoft VM ships as part of several products. However, the primary ship vehicle is  Internet Explorer. IE 4 ships with builds in the 2000 series; IE 5 ships with builds in the 3000  series.

Patch Availability
http://www.microsoft.com/java/vm/dl_vm32.htm

NOTE:
The above URL installs the latest version of the 3000 series. It can be installed by  anyone, including customers currently using a 2000 series
build. A new version in the 2000 series  will be available shortly for
customers who are using a 2000 series build and do not wish to  upgrade to the 3000 series. When this is available, we will modify the bulletin to
provide the  specific URL.

NOTE:
A patch also will be available shortly at
http://windowsupdate.microsoft.com
When this  happens, we will modify the bulletin to provide the specific URL.

More Information
Please see the following references for more information related to this
issue.
Microsoft Security Bulletin MS99-045: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-045faq.asp
Microsoft Knowledge Base (KB) article Q244283,
Bypassing Java Sandbox Results in VM Security Vulnerability,
http://support.microsoft.com/support/kb/articles/q244/2/83.asp

(Note: It may take 24 hours from the original posting of this bulletin
   for this KB article to be visible.)
Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp

- ------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.