COMMAND

    java

SYSTEMS AFFECTED

    everyone with MS JVM enabled

PROBLEM

    Karsten Sohr at the  University of Marburg has  discovered another
    serious security flaw in Microsoft's Java Virtual Machine.  A  bug
    in Microsoft's bytecode verifier  allows the construction of  code
    sequences that illegally  cast values of  one Java type  to values
    of another unrelated  type, in violation  of Java's typing  rules,
    without detection by Microsoft's  verifier.  An attack  applet can
    exploit  this  flaw  to  breach  the  JVM's security, and can then
    proceed to do  anything it wants  to do on  the victim's computer.
    For example,  an attack  applet might  exploit this  flaw to  read
    private data, modify or delete  files, or eavesdrop on the  user's
    activities.

    Dirk  Balfanz  and  Ed  Felten,  at  Princeton  University,   have
    constructed  a  demonstration  applet  that  exploits this flaw to
    delete a file.   The Princeton Secure Internet  Programming team's
    news release is available at:

        http://www.cs.princeton.edu/sip/history/

    All recent versions  of Microsoft's JVM  for Windows appear  to be
    vulnerable, so users of  recent versions of Internet  Explorer are
    affected by this flaw.  A malicious applet could also be  embedded
    in  an  e-mail  message  read  using  Microsoft Outlook or Eudora.
    Users of  other JVMs,  browsers, and  email readers  are generally
    not  affected.   Reliable  Software  Technologies  was involved in
    testing on various platforms.  The Reliable Software  Technologies
    news release is available at:

        http://www.rstcorp.com

SOLUTION

    Users of other JVMs, browsers, and email readers are generally not
    affected.  Patch availability:

        http://www.microsoft.com/java/vm/dl_vm32.htm

    The above URL installs the latest version of the 3000 series.   It
    can be installed by  anyone, including customers currently using a
    2000 series  build.   A new  version in  the 2000  series will  be
    available shortly for customers who are using a 2000 series  build
    and do  not wish  to upgrade  to the  3000 series.   When this  is
    available, MS  will modify  the bulletin  to provide  the specific
    URL.   A patch  also will  be available  shortly at  windowsupdate
    page.