A number of known issues in Java support for Internet Explorer have now
been corrected in the Internet Explorer 3.02 release. Please download this
upgrade if you are experiencing any problems with Java support in Internet
Explorer 3.0. To address the issues discussed below, ensure you have the
latest build of the Microsoft Win32 Virtual Machine for Java. For more
information about obtaining the latest build, see the References section of
this article.
- Java Mischief Security Issue Identified
This security issue specifically affects the JVM and not the browser.
Microsoft's current understanding of the problem is that when a user
visits a malicious Web site, the site could download an image from
another Web site such as an intranet that the user has permission to
access without the user' knowledge or permission. The security problem
could also be used to download an image file from the malicious site to
the user's computer memory storage.
The problem will be fixed in the final versions of the JVM that ships
with Internet Explorer 4.0, and we plan to provide a fix for Internet
Explorer 3.02 on Windows 95/NT 4.0 and Internet Explorer 3.02a on
Windows 3.1/NT 3.51 as soon as possible. The fix will be available as an
update to the JVM.
For more information see the "New Java Mischief Security Problem" link
on this page: http://www.microsoft.com/ie/security/.
- Java Applets hang Internet Explorer 3.02 after installing Windows NT
version 4.0 Service Pack 3.
Internet Explorer version 3.02 may hang when you are navigating to a
page that contains a Java applet after installing Windows NT version 4.0
Service Pack 3. The hang only occurs if the Display Properties Color
Palette is set to True Color. For more detailed information, please see
the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q168748
TITLE : Java Applets Cause IE 3.02 to Stop Responding w/ SP3
- University of Washington bytecode verifier issue.
Microsoft announced the immediate availability of an updated version of
the Microsoft Virtual Machine for Java. Researchers at the University of
Washington recently notified Microsoft and other vendors of a set of
anomalies in Java Virtual Machines. These anomalies could potentially
result in a security exposure for customers using Java applets, causing
a system crash or lose data.
The researchers with the Kimera Project in the Department of Computer
Science and Engineering at the University of Washington have an
automatic validation technology that allows them to quickly identify
potential bugs in commercial Java implementations. The anomalies are in
the bytecode "verifier", which enforces the security of the Java
sandbox. There have been no known attacks that exploit these anomalies,
but they could potentially be exploited by a malicious application to
get access outside the sandbox. For more information on the University
of Washington's Kimera Project, visit
http://www.washington.edu/newsroom/news/k051997.html
- Potential unauthorized access to networked services.
An independent third party* has discovered a potential security issue
with the current Microsoft Virtual Machine for Java. The problem may be
exposed when an applet exploits both a bug in a Java security class file
and a certain configuration of the Internet Explorer 3.0 cache to allow
the applet access to network facilities on the client machine. This
attack has to be intentional, and is not guaranteed to be successful in
gaining access to the network services.
This problem only affects users who use the same machine to run network
services, such as a mail server, and execute applets from unknown
sources on the Internet. This will not affect users who run mail clients
or network client applications only. Microsoft encourages users to be
careful when accessing executable code of any form over the Internet,
and advises caution when running network services on a machine that is
used to browse applets from untrusted sources.
* Microsoft thanks A.L. Digital Ltd, Ben Laurie, and Major Malfunction
for reporting this problem.
- When not connected to an Internet Service Provider, applets hang during
initialization.
- Using Visual Basic to instantiate a Java object with CreateObject()
fails with the following message: "Runtime Error '430': Class doesn't
support OLE Automation."
- Problems using breakpoints with Visual J++ Debugger when debugging Java
classes.
When debugging a Java class with breakpoints or single stepping, the
symbols for java.lang.NoSuchFieldError and java.lang.LinkageError are
loaded, followed by a first chance exception error. Then, the debugger
loads the source code for Throwable.java. This occurs because the
Virtual Machine throws a NoSuchFieldError exception when it fails to
find a hash value for a field by name and type.
For additional information on the current release of the Virtual Machine,
please refer to the following Knowledge Base article: