COMMAND

    MS JVM

SYSTEMS AFFECTED

    MS JVM

PROBLEM

    Microsoft    JVM    allows     reading    local    files     using
    getSystemResourceAsStream.   For  a  detailed  description, please
    see the following article:

        http://java-house.etl.go.jp/ml/archive/j-h-b/030376.html (in Japanese)
        http://java-house.etl.go.jp/ml/archive/j-h-b/030411.html (in English)

    Verified with  build 5.00.2314.1003  on Win98.   According to  the
    article  above,  IE  5  allows  files  under C:\Windows\Desktop to
    read, while IE  4 gives access  to C:\ itself.   Seems that  there
    must be an a bug in either

        java.lang.SecurityManager.checkRead(String,Object)

    or

        java.lang.ClassLoader.getResourceAsStream(String)

    If it's  the former,  this bug  should be  further exploitable  to
    pretty  much   any  file.    Therefore,   most  likely   is   that
    java.lang.ClassLoader.getResourceAsStream(String) is either a) not
    calling java.lang.SecurityManager.checkRead(String,Object) at  all
    or b) passing it an incorrect context.

    After some  time a  there was  released a  new note which includes
    additional information to the previous warning:

        http://java-house.etl.go.jp/ml/archive/j-h-b/031072.html (in Japanese)
        http://java-house.etl.go.jp/ml/archive/j-h-b/031178.html (in English)

    There are three new issues:

        1. Windows2000 is also affected
        2. IE5 has additional hole for "Existence Attack" over whole C:\
        3. Patch available from Microsoft with inappropriate description
           of the vulnerability

SOLUTION

    Patched.