Re: Vulnerabilities in Microsoft's Java implementation

[Mike Duncan <security () randomtask net>]

AFAIK, because of the Microsoft vs. Sun dispute over Java rights, the
Microsoft VM only complies with Java 1.2 or maybe even lower. So as a
standard of mine, and because I can use the OBJECT tag to automagically
upgrade a client (depending on network conditions), I always have
clients upgrade to the Sun implementation. This allows me to cut down
the JAR/CAB file sizes (because I no longer have to include things like
SWING) and also it allows me to take full advantage of the Java 1.4. I
would suggest that anyone wanting to migrate take a look at
http://java.sun.com for more information (especially look at the plugin
documentation as it will make life a lot easier). 

Mike Duncan
security () randomtask net
http://www.randomtask.net



On Wed, 2002-09-11 at 00:30, Damon McMahon wrote:
> In-Reply-To: <Pine.LNX.4.33.0209091507490.19081-100000 () lissu solutions fi>
>
> Since Sun's implementation of the JVM is not vulnerable
> AFAYK, would installing Sun's Java VM and then
> configuring it to handle Java applets in IE be an
> acceptable workaround?
>
> > WORKAROUNDS
> > ===========
> >
> > Microsoft was first contacted in July 2002 and started
> their 
> > investigation of potential Java vulnerabilities. More
> of them were found 
> > during August and reported to the vendor. Microsoft
> has acknowledged most 
> > of the vulnerabilities and is currently working on a
> patch to correct 
> > them.
> >
> > To protect themselves, Internet Explorer and Outlook
> (Express) users can 
> > disable Java Applets until the patch is released. This
> can be done in 
> > Internet Options -> Security -> Internet -> Custom
> Level -> Microsoft 
> > VM, select "Disable Java".
> >
> > If you want to use an Applet on a certain web site you
> trust, you can add
> > the site to the Trusted Sites zone and enable Applets
> in that zone.
> >