Vulnerability Note VU#237777
Microsoft Virtual Machine allows applets write access to the Standard Security Manager
A flaw in the Microsoft virtual machine (Microsoft VM) could allow malicious Java applets to block other, legitimate applets from running, resulting in a denial-of-service condition.
The Microsoft virtual machine (Microsoft VM) enables Java programs to run on Windows platforms. The Microsoft VM is included in most versions of Windows and Internet Explorer.
The Standard Security Manager is a component of the VM’s security policy mechanism, and provides information about the restrictions that should be enforced when Java applets run within Internet Explorer. Among the information it can contain is a list of Java applets and modules that Java applets should not be able to invoke.
Exploitation of this vulnerability could result in a denial-of-service condition since a malicious program or applet may list other, legitimate programs or applets to the "banned" list in the Standard Security Manager. A malicious Java program that was designed to exploit this vulnerability could be hosted on an attacker's web page or introduced via HTML email.
Apply a patch from the vendor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||26 Nov 2002||18 Dec 2002|
CVSS Metrics (Learn More)
Thanks to Jouko Pynnonen for reporting this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: CAN-2002-1292
- Date Public: 12 Nov 2002
- Date First Published: 21 Jan 2003
- Date Last Updated: 21 Jan 2003
- Severity Metric: 1.95
- Document Revision: 15
If you have feedback, comments, or additional information about this vulnerability, please send us email.