Vulnerability Note VU#897529
Microsoft Virtual Machine allows untrusted applets to access the user.dir system property
Some versions of the Microsoft virtual machine (Microsoft VM) contain a flaw that could leak information about the user's system. This flaw could allow malicious Java applets to get information they would normally be denied access to.
The Microsoft virtual machine (Microsoft VM) enables Java programs to run on Windows platforms. The Microsoft VM is included in most versions of Windows and Internet Explorer.
System properties provide the means through which Java programs can query the operating system and gain detailed information about the system on which they are running. The Microsoft VM allows access to the user.dir system property from untrusted Java programs.
A malicious program could exploit this vulnerability to disclose the path to the current working directory of the Microsoft VM-enabled application. Information contained in this path could provide additional information about the system, such as the user's username, that could be leveraged in other attacks.
Apply a patch from the vendor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||26 Nov 2002||18 Dec 2002|
CVSS Metrics (Learn More)
Thanks to Jouko Pynnonen for reporting this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: CAN-2002-1325
- Date Public: 12 Nov 2002
- Date First Published: 21 Jan 2003
- Date Last Updated: 21 Jan 2003
- Severity Metric: 1.51
- Document Revision: 17
If you have feedback, comments, or additional information about this vulnerability, please send us email.