[NT] Flaw in Microsoft VM Could Enable System Compromise

• Previous message: support@securiteam.com: "[NT] VisNetic WebSite Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 12 Dec 2002 11:35:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Flaw in Microsoft VM Could Enable System Compromise
------------------------------------------------------------------------

SUMMARY

The Microsoft VM is a virtual machine for the Win32® operating
environment. The Microsoft VM shipped in most versions of Windows (a
complete list is available in the FAQ), as well as in most versions of
Internet Explorer.

A new version of the Microsoft VM is available, which includes all
previously released fixes for the VM, as well as fixes for eight newly
reported security issues. The attack vectors for all of the new issues
would likely be the same. An attacker would create a web page that, when
opened, exploits the desired vulnerability, and either host it on a web
page or send it to a user as an HTML mail.

DETAILS

Affected Software:
Versions of the Microsoft virtual machine (Microsoft VM) are identified by
build numbers, which can be determined using the JVIEW tool as discussed
in the FAQ. All builds of the Microsoft VM up to and including build
5.0.3805 are affected by these vulnerabilities.

Patch availability:
Download locations for this patch
 * The patch is available to update existing Microsoft VMs via the Windows
Update web site.

Note: A version of the patch that can be downloaded and deployed
throughout a network is available. Information on obtaining it is
available in the FAQ.

Technical description:
The newly reported security issues are as follows:

 * A security vulnerability through which an untrusted Java applet could
access COM objects. By design, COM objects should only be available to
trusted Java programs because of the functionality they expose. COM
objects are available that provide functionality through which an attacker
could take control of the system.

 * A pair of vulnerabilities that, although having different underlying
causes, would have the same effect, namely, disguising the actual location
of the applet's codebase. By design, a Java applet that resides on user
storage or a network share has read access to the folder it resides in and
all folders below it. The vulnerabilities provide methods by which an
applet located on a web site could misrepresent the location of its
codebase, to indicate that it resided instead on the user's local system
or a network share.

 * A vulnerability that could enable an attacker to construct an URL that,
when parsed, would load a Java applet from one web site but misrepresent
it as belonging to another web site. The result would be that the
attacker's applet would run in the other site's domain. Any information
the user provided to it could be relayed back to the attacker.

 * A vulnerability that results because the Microsoft VM doesn't prevent
applets from calling the JDBC APIs - a set of APIs that provide database
access methods. By design, these APIs provide functionality to add,
change, delete or modify database contents, subject only to the user's
permissions.

 * A vulnerability through which an attacker could temporarily prevent
specified Java objects from being loaded and run. A legacy security
mechanism known as the Standard Security Manager provides the ability to
impose restrictions on Java applets, up to and including preventing them
from running altogether. However, the VM does not adequately regulate
access to the SSM, with the result that an attacker's applet could add
other Java objects to the "banned" list.

 * A vulnerability through which an attacker could learn a user's username
on their local system. The vulnerability results because one particular
system property, user.dir, should not be available to untrusted applets
but, through a flaw, is. While knowing a username would not in itself pose
a security risk, it could be useful for reconnaissance purposes.

 * A vulnerability that results because it's possible for a Java applet to
perform an incomplete instantiation of another Java object. The effect of
doing so would be to cause the containing application - Internet Explorer
- to fail.

Mitigating factors:
All of the vulnerabilities share a pair of common mitigating factors:

 * The web-based attack vector would be blocked if the user had disabled
Java applets in the Internet Explorer security zone in which the
attacker's web site rendered.

 * The email vector would be blocked if the user were running any of
several mail clients. Specifically, Outlook Express 6 and Outlook 2002
(which ships as part of Office XP) disable Java by default, and Outlook 98
and 2000 disable it if the Outlook Email Security Update has been
installed.

COM Object Access Vulnerability:
 * The vulnerability represents a target of opportunity only. The attacker
would have no means of ensuring that sensitive data would be located in
system memory, cookies, the clipboard, or other locations.

CODEBASE Spoofing Vulnerabilities:
 * The attacker's access to files, including those on remote shares, would
be limited to those of the user. If the user had only limited permissions,
so would the attacker.

Domain Spoofing Vulnerability:
 * The vulnerability could only be exploited if the user visited the
attacker's site en route to visiting a third-party site.

 * The effect of exploiting the vulnerability would apply only to the
current web session.

JDBC API Vulnerability:
 * To exploit this vulnerability, the attacker would need to know the
names of each data source he or she wanted to access. In most cases, this
would require the attacker to have insider knowledge of the user's
network.

 * The attacker would gain only the user's own permissions to the data
sources. For instance, if the user had only read access to a particular
database, so would the attacker.

Standard Security Manager Access Vulnerability:
 * The effect of exploiting this vulnerability would only persist during
the current browser session.

 * The vulnerability provides no means of modifying an applet's
functioning - only preventing it from running.

User.dir Exposure Vulnerability:
 * Knowing a user's username would not, by itself, enable an attacker to
take any action against the user. The sole value in learning this
information would be for reconnaissance purposes, in the hope of using it
in some future, unspecified attack.

Incomplete Java object Instantiation Vulnerability:
 * This vulnerability would only enable the attacker to cause Internet
Explorer to fail - it would not enable the attacker to cause Windows
itself, or any other applications, to fail.

 * The user could restore normal operation by restarting the browser.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_42042_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[UNIX] Multiple MySQL Vulnerabilities (COM_TABLE_DUMP, COM_CHANGE_USER, read_rows, read_one_row)"
• Previous message: support@securiteam.com: "[NT] VisNetic WebSite Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]