search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Virtual Machine allows applets write access to the Standard Security Manager

Vulnerability Note VU#237777

Original Release Date: 2003-01-21 | Last Revised: 2003-01-21


A flaw in the Microsoft virtual machine (Microsoft VM) could allow malicious Java applets to block other, legitimate applets from running, resulting in a denial-of-service condition.


The Microsoft virtual machine (Microsoft VM) enables Java programs to run on Windows platforms. The Microsoft VM is included in most versions of Windows and Internet Explorer.

The Standard Security Manager is a component of the VM’s security policy mechanism, and provides information about the restrictions that should be enforced when Java applets run within Internet Explorer. Among the information it can contain is a list of Java applets and modules that Java applets should not be able to invoke.

Microsoft's VM fails to disallow Java programs from writing to the Standard Security Manager. By design, only the VM itself should be able to add information to the Standard Security Manager. However, a flaw allows any Java program to do so. An attacker who successfully exploited this vulnerability could add other Java code to the "banned" list in the Standard Security Manager, and prevent the current instance of the Microsoft VM-enabled application (e.g., Internet Explorer, Outlook Express, etc.) from being able to use that code.


Exploitation of this vulnerability could result in a denial-of-service condition since a malicious program or applet may list other, legitimate programs or applets to the "banned" list in the Standard Security Manager. A malicious Java program that was designed to exploit this vulnerability could be hosted on an attacker's web page or introduced via HTML email.

Any applications that depended on the now-banned Java modules from operating properly would be adversely affected. These conditions would persist for the lifetime of that instance of the VM-enabled application. Subsequent instances, or other instances held in parallel, would not be affected.


Apply a patch from the vendor

Microsoft has issued Security Bulletin MS02-069 addressing this vulnerability. Users are encouraged to follow the instructions outlined in that bulletin and apply the patches that it refers to.


Disable Java

- if the ability to run Java applets is not required or desired, configure your web browser to not execute them. Information about disabling Java in various web browsers can be found here.

Note that disabling Java in your web browser may not mitigate this vulnerability for Java programs that are invoked via another method.

Vendor Information


Microsoft Corporation Affected

Notified:  November 26, 2002 Updated: December 18, 2002



Vendor Statement

Microsoft Corporation's statement can be found in Microsoft Security Bulletin MS02-069.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Jouko Pynnonen for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2002-1292
Severity Metric: 1.95
Date Public: 2002-11-12
Date First Published: 2003-01-21
Date Last Updated: 2003-01-21 21:42 UTC
Document Revision: 15

Sponsored by CISA.