COMMAND

    VM File Reading

SYSTEMS AFFECTED

    JVM all builds in the 2000, 3100 and 3200 series

PROBLEM

    Following is based on Microsoft Security Bulletin (MS00-011).  The
    Microsoft  VM  is  a  virtual  machine  for  the  Win32® operating
    environment.  It  runs atop Microsoft  Windows® 95, 98  or Windows
    NT®.  It ships as part of each operating system, and also as  part
    of Microsoft Internet Explorer.   The version of the Microsoft  VM
    that  ships  with  Microsoft  Internet  Explorer  4.x and Internet
    Explorer 5.x contains a security vulnerability that could allow  a
    Java applet to operate outside the  bounds set by the sandbox.   A
    malicious user  could write  a Java  applet that  could read - but
    not change, delete or  add - files from  the computer of a  person
    who visited his site or  read web content from inside  an intranet
    if the malicious  site is visited  by a computer  from within that
    intranet.  The malicious user would need to know the exactly  path
    and filename of the files he wished to read.

    Microsoft  thanks  Hideo  Nakamura  of  NEC  in  Tokyo,  Japan for
    reporting the VM  File Reading vulnerability  to them and  working
    with MS to protect customers.

SOLUTION

    New  versions  of  the  Microsoft  VM  that  include a fix for the
    vulnerability can be downloaded from the following locations:

        - 2000 series builds: http://www.microsoft.com/java/vm/dl_vmsp2.htm
        - 3100 series builds: http://www.microsoft.com/java/vm/dl_vm32.htm
        - 3200 series builds: http://www.microsoft.com/java/vm/dl_vm40.htm

    Note: 2000 series builds are shipped as part of Internet  Explorer
    4.x; 3100 series builds are  shipped as part of Internet  Explorer
    5; 3200  series builds  are shipped  as part  of Internet Explorer
    5.01.