Microsoft battles pair of security bugs

Microsoft has acknowledged that bugs in its Java virtual machine for the Internet Explorer browser and its Outlook Express mail reader for IE enable malicious hackers to look at more than they ought to be able to see on targets' computers.

Microsoft said it was devising patches for both holes.

With Outlook Express, a malicious user can embed a script within a message that will let him or her read the mail of the targeted user while the initial message window remains open. The bug does not affect the standard version of Outlook.

"This could potentially let a malicious user read email, but under pretty restricted conditions," a Microsoft representative said. "And it only allows email to be read--not changed or altered."

Pending a fix, Microsoft said that concerned users can turn off Active Scripting within IE's Restricted Zone and reconfigure Outlook Express to open email within the restricted zone.

The second problem, in Microsoft's Java virtual machine, also permits the improper reading of files on the user's computer. Originally discovered, described and demonstrated by Kensuke Tada, the vulnerability lets a Java applet read, but not write to or delete, "known files," which could include the registry file or other files with common names like "memo.txt" or "password.txt." A Java applet is a small application written in Java such as an online spreadsheet or news ticker.

The Java virtual machine translates code written in the cross-platform Java programming language into code that computers can understand.

Microsoft said it learned of the problem over the weekend and immediately began working on its patch. The company downplayed the seriousness of the problem, saying the attacker could only access a particular directory that was most often empty. Microsoft also said the problem was simple to patch and that all versions of the JVM would be patched this weekend.