[26996] in bugtraq
Re: Vulnerabilities in Microsoft's Java implementation
daemon@ATHENA.MIT.EDU (Mike Duncan)
Wed Sep 11 16:06:09 2002
From: Mike Duncan <security@randomtask.net>
To: Damon McMahon <inst_karma@hotmail.com>
In-Reply-To: <20020911043010.29724.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 11 Sep 2002 15:47:25 -0400
Message-Id: <1031773651.912.12.camel@ash21495>
Mime-Version: 1.0
AFAIK, because of the Microsoft vs. Sun dispute over Java rights, the
Microsoft VM only complies with Java 1.2 or maybe even lower. So as a
standard of mine, and because I can use the OBJECT tag to automagically
upgrade a client (depending on network conditions), I always have
clients upgrade to the Sun implementation. This allows me to cut down
the JAR/CAB file sizes (because I no longer have to include things like
SWING) and also it allows me to take full advantage of the Java 1.4. I
would suggest that anyone wanting to migrate take a look at
http://java.sun.com for more information (especially look at the plugin
documentation as it will make life a lot easier).
Mike Duncan
security@randomtask.net
http://www.randomtask.net
On Wed, 2002-09-11 at 00:30, Damon McMahon wrote:
> In-Reply-To: <Pine.LNX.4.33.0209091507490.19081-100000@lissu.solutions.fi>
>
> Since Sun's implementation of the JVM is not vulnerable
> AFAYK, would installing Sun's Java VM and then
> configuring it to handle Java applets in IE be an
> acceptable workaround?
>
> >
> >
> >WORKAROUNDS
> >===========
> >
> >Microsoft was first contacted in July 2002 and started
> their
> >investigation of potential Java vulnerabilities. More
> of them were found
> >during August and reported to the vendor. Microsoft
> has acknowledged most
> >of the vulnerabilities and is currently working on a
> patch to correct
> >them.
> >
> >To protect themselves, Internet Explorer and Outlook
> (Express) users can
> >disable Java Applets until the patch is released. This
> can be done in
> >Internet Options -> Security -> Internet -> Custom
> Level -> Microsoft
> >VM, select "Disable Java".
> >
> >If you want to use an Applet on a certain web site you
> trust, you can add
> >the site to the Trusted Sites zone and enable Applets
> in that zone.
> >
> >
