COMMAND

    javaVM

SYSTEMS AFFECTED

    JVM all builds of 2000 and 3000 series

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS00-081.
    Note that this is a new variant of described at:

        http://oliver.efri.hr/~crv/security/bugs/NT/java15.html

    The Microsoft VM is a  virtual machine for the Win32(r)  operating
    environment.   It  runs  atop  Microsoft  Windows(r)  95,  98, Me,
    Windows NT(r) 4.0,  and Windows 2000.   It ships as  part of  each
    operating system, and also as part of Microsoft Internet Explorer.

    The version of the Microsoft VM that ships with Microsoft Internet
    Explorer  4.x  and  Internet  Explorer  5.x  contains  a  security
    vulnerability that could  allow a Java  applet to operate  outside
    the bounds set by the sandbox. A malicious user could write a Java
    applet that could  read - but  not change, delete  or add -  files
    from the computer  of a person  who visited his  site or read  web
    content from inside an intranet  if the malicious site is  visited
    by a computer from within that intranet.

    The  only  significant  difference  between  the  new and original
    variants  lies  in  the  specific  programming  technique  used to
    exploit  the  vulnerability;  in  other  respects,  the  two   are
    virtually identical.  Applying  the new patch eliminates  both the
    new and original variants.

    Versions  of  the  Microsoft  VM  are identified by build numbers,
    which can be determined using the JVIEW tool, as discussed in  the
    FAQ.  The following builds of the Microsoft VM are affected:

        - All builds in the 2000 series.
        - All builds in the 3000 series.

    The Microsoft VM ships as part of several products.  However,  the
    primary ship vehicle is Internet Explorer.

SOLUTION

    New  versions  of  the  Microsoft  VM  that  include a fix for the
    vulnerability can be downloaded from the following locations:
    - 2000-series builds:
      A  patch  specifically  for  the  2000-series  builds  will   be
      available  shortly.   Customers   who  wish  to  eliminate   the
      vulnerability  can  also  do  so  by  upgrading to build 3319 at
      http://www.microsoft.com/java/vm/dl_vm40.htm

    - 3000-series:
      Upgrade to build 3319 or later at
      http://www.microsoft.com/java/vm/dl_vm40.htm.

    2000-series builds are shipped  as part of Internet  Explorer 4.x;
    3000 series builds are shipped  as part of Internet Explorer  5.x.
    However, customers may upgrade the Microsoft VM on their  machines
    independent of  the browser,  and the  Microsoft VM  also ships as
    part of many other applications, so it is possible for the  actual
    build number to be higher than the one associated with the version
    of IE that is installed on the machine.  In such cases,  customers
    should determine what version of the patch to install based on the
    build number, not on the version of IE.