SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#897529

Microsoft Virtual Machine allows untrusted applets to access the user.dir system property

Overview

Some versions of the Microsoft virtual machine (Microsoft VM) contain a flaw that could leak information about the user's system. This flaw could allow malicious Java applets to get information they would normally be denied access to.

I. Description

The Microsoft virtual machine (Microsoft VM) enables Java programs to run on Windows platforms. The Microsoft VM is included in most versions of Windows and Internet Explorer.

System properties provide the means through which Java programs can query the operating system and gain detailed information about the system on which they are running. The Microsoft VM allows access to the user.dir system property from untrusted Java programs.

A malicious Java applet that was designed to exploit this vulnerability could be hosted on an attacker's web page or delivered via HTML email.

II. Impact

A malicious program could exploit this vulnerability to disclose the path to the current working directory of the Microsoft VM-enabled application. Information contained in this path could provide additional information about the system, such as the user's username, that could be leveraged in other attacks.

III. Solution

Apply a patch from the vendor


Microsoft has issued Security Bulletin MS02-069 addressing this vulnerability. Users are encouraged to follow the instructions outlined in that bulletin and apply the patches that it refers to.

Workarounds

Disable Java

If the ability to run Java applets is not required or desired, configure your web browser to not execute them. Information about disabling Java in various web browsers can be found here.

Note that disabling Java in your web browser may not mitigate this vulnerability for Java programs that are invoked via another method.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable18-Dec-2002

References

http://www.iss.net/security_center/static/10581.php
http://www.securityfocus.com/bid/6139

Credit

Thanks to Jouko Pynnonen for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

Date Public:2002-11-12
Date First Published:2003-01-21
Date Last Updated:2003-01-21
CERT Advisory: 
CVE-ID(s):CAN-2002-1325
NVD-ID(s):CAN-2002-1325
US-CERT Technical Alerts: 
Severity Metric:1.51
Document Revision:17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader