Java Applet Can Redirect Browser Traffic

http://www.microsoft.com/technet/security/bulletin/MS02-013.asp.

-{ Quote: "
Microsoft Security Bulletin MS02-013


Java Applet Can Redirect Browser Traffic
Originally posted: March 04, 2002

Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer® in a configuration where a proxy server is interposed between the browser and the Internet.

Impact of vulnerability: Information Disclosure

Maximum Severity Rating: Critical

Recommendation: Customers using IE in a proxy server configuration as indicated above should immediately apply the patch.

Affected Software: Versions of the Microsoft virtual machine (Microsoft VM) are identified by build numbers, which can be determined using the JVIEW tool as discussed in the FAQ. The following builds of the Microsoft VM are affected:

All builds of the Microsoft VM up to and including build 3802.
" }-

Patch availability
Download locations for this patch
Upgrade to Microsoft VM build 3805 or later at http://www.microsoft.com/java/vm/dl_vm40.htm

no win2k patch?

As I read it on the download page:
A Windows 2000 hotfix including Microsoft VM build 3805 will be available soon.

-{ Quote: "As I read it on the download page:
A Windows 2000 hotfix including Microsoft VM build 3805 will be available soon." }-
I'm dreading All Fools' Day! *How on Earth will we be able to tell the real M$ bug reports from the fakes? * ;D

-{ Quote: "no win2k patch?" }-

Available in the meanwhile (XP as well) using one and the same link:

www.microsoft.com/java/vm/dl_vm40.htm

regards.

paul

Another alternativ to be protected from this security hole is to use the original Java Runtime Engine from Sun. It's free and can be downloaded from

http://java.sun.com/j2se/1.3/jre/download-windows.html#software

wizard

More links on this vulnerability:

http://www.theregister.co.uk/content/55/24295.html

http://www.xs4all.nl/~harmwal/issue/wal-01.txt

http://home.netscape.com/security/

The advice from wizard is IMHO a very solid one:

-{ Quote: "Another alternativ to be protected from this security hole is to use the original Java Runtime Engine from Sun." }-

There's a new version available as well: v1.4:

http://java.sun.com/j2se/1.4/download.html

regards.

paul

Exactly (step-by-step) how would one go about changing from VM to Sun? What do you do? Pete

-{ Quote: "Exactly (step-by-step) how would one go about changing from VM to Sun? What do you do? Pete" }-

Good question, Pete!

Quote from this site:
http://www.microsoft.com/java/vm/dl_vm40.htm

-{ Quote: "WARNING: Please note that once you have installed the updated Microsoft VM it cannot be uninstalled." }-