Microsoft Identifies Eight JVM Vulnerabilities

In a single security bulletin issued late Wednesday, Microsoft disclosed eight new security vulnerabilities discovered in its java virtual machine. Build 5.0.3805 and older are at risk, containing one flaw rated "critical," two "important," two "moderate" and three classified as "low" severity.

The critical vulnerability stems from the ability of an un-trusted Java applet to access COM objects, which control many Windows functions. According to the bulletin, "This would enable the attacker to take any desired action on the user's system; for instance, the attacker could add, delete or change data on the user's system; communicate with web sites; load and run programs; reformat the hard drive, and so forth."

Two "important" vulnerabilities achieved by spoofing the CODEBASE parameter in a Java applet tag can be exploited via a Web page or HTML e-mail, and enable an attacker to read files from a user's hard drive or network shares.

The five other less severe vulnerabilities have effects that range from crashing Internet Explorer to enabling a malicious Web site to read usernames and passwords from stored cookies.

Microsoft's JVM is included with almost all versions of Windows and Redmond recommends all users immediately upgrade to the newly released VM build 3809, available on Windows Update. Build 3809 includes all previous fixes to Microsoft's virtual machine as well, and cannot be uninstalled.