Microsoft Security Bulletin MS00-081
Patch Available for New Variant of 'VM File Reading' Vulnerability
Originally posted: October 25, 2000
On October 25, 2000, Microsoft released this bulletin, to advise customers of the availability of a patch that eliminates a new variant of a security vulnerability affecting the Microsoft® virtual machine (Microsoft VM). On October 27, 2000, we updated the bulletin to advise that fewer versions of the VM are affected than originally reported.
The original variant of the vulnerability was discussed in Microsoft Security Bulletin MS00-011. Like the original vulnerability, the new variant could enable a malicious web site operator to read files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site was visited by a computer from within that intranet.
Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool, as discussed in the FAQ. The following builds of the Microsoft VM are affected:
- All builds in the 3000 series numbered 3318 or earlier.
Note: The Microsoft VM ships as part of several products. However, the primary ship vehicle is Internet Explorer.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (October 25, 2000): Bulletin Created.
- V1.1 (October 31, 2000): Bulletin updated to indicate that 2000-series builds are not affected by the vulnerability.
- V1.2 (January 26, 2001): Bulletin Updated to reflect update to VM patch version.
- V1.3 (June 1, 2001): Updated Patch availability section.
- V1.4 (July 20, 2002): Update made to download location.
- V1.5 (February 28, 2003): Update made to download location.
- V2.0 (July 1, 2009): Removed download information because Microsoft Java Virtual Machine is no longer available for distribution from Microsoft. For more information, see Patch availability.