[NT] Flaw in Microsoft VM Could Enable System Compromise (ByteCode Verifier)
From: support@securiteam.com
Date: 04/13/03
- Previous message: support@securiteam.com: "[NT] Flaw in Winsock Proxy Service and ISA Firewall Service Can Cause Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 13 Apr 2003 00:08:13 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Flaw in Microsoft VM Could Enable System Compromise (ByteCode Verifier)
------------------------------------------------------------------------
SUMMARY
The Microsoft VM is a virtual machine for the Win32 operating environment.
The Microsoft VM is shipped in most versions of Windows (a complete list
is available in the FAQ), as well as in most versions of Internet
Explorer.
A security vulnerability in the Microsoft VM could enable a web site
operator to gain administrative privileges on the victim's machine using a
malicious java applet.
DETAILS
Effected versions:
Version 3809 or earlier
The present Microsoft VM, which includes all previously released fixes to
the VM, has been updated to include a fix for the newly reported security
vulnerability. This new security vulnerability affects the ByteCode
Verifier component of the Microsoft VM, and results because the ByteCode
verifier does not correctly check for the presence of certain malicious
code when a Java applet is being loaded. The attack vector for this new
security issue would likely involve an attacker creating a malicious Java
applet and inserting it into a web page that when opened, would exploit
the vulnerability. An attacker could then host this malicious web page on
a web site, or could send it to a user in e-mail.
Mitigating factors:
In order to exploit this vulnerability via the web-based attack vector,
the attacker would need to entice a user into visiting a web site that the
attacker controlled. The vulnerability themselves provide no way to force
a user to a web site.
Java applets are disabled within the Restricted Sites Zone. As a result,
any mail client that opened HTML mail within the Restricted Sites Zone,
such as Outlook 2002, Outlook Express 6, or Outlook 98 or 2000 when used
in conjunction with the Outlook Email Security Update, would not be at
risk from the mail-based attack vector.
The vulnerability would gain only the privileges of the user, so customers
who operate with less than administrative privileges would be at less risk
from the vulnerability.
Corporate IT administrators could limit the risk posed to their users by
using application filters at the firewall to inspect and block mobile
code.
FAQ:
What security vulnerability is eliminated by the new VM build?
This VM build includes all previously released security fixes, as well as
fixing a newly reported security vulnerability that affects the ByteCode
Verifier and could allow an attacker to run code of his or her choice on a
user's system.
What is the Microsoft VM?
The Microsoft virtual machine (Microsoft VM) enables Java programs to run
on Windows platforms. The Microsoft VM is included in most versions of
Windows and Internet Explorer. The vulnerability discussed here affects
all customers who have the Microsoft VM.
I don't know if the Microsoft VM is installed on my system. How can I
tell?
If you're using any of the following versions of Windows, you definitely
have the Microsoft VM installed:
Microsoft Windows 95
Microsoft Windows 98 and 98SE
Microsoft Windows Millennium
Microsoft Windows NT 4.0, beginning with Service Pack 1
Microsoft Windows 2000
Microsoft Windows XP
The Microsoft VM also shipped as part of several versions of Internet
Explorer and other products. If you're in doubt about whether you have it
installed, do the following:
Select Start, then Run.
Open a command box, as follows:
If you are running Windows 98 or Windows Millennium, type "command"
(without the quotes), then hit the enter key.
If you are running Windows NT 4.0, Windows 2000, or Windows XP, type "cmd"
(without the quotes), then hit the enter key.
In the resulting command box, type "Jview" (without the quotes). If a
program runs, you have the Microsoft VM installed. If you receive an error
saying that no program by that name exists, you don't.
Is this a new version of the Microsoft VM?
Yes, Microsoft VM build 3810 is a new release of the Microsoft VM.
How can I tell what version of the Microsoft VM I'm using?
Here's how to determine the build number you're using:
Select Start, then Run.
On Windows 95, 98, or Me, type "command" (without the quotes). On Windows
NT 4.0, 2000, or XP, type "cmd" (again, without the quotes). Hit the enter
key.
In the result command box, type "Jview" (without the quotes) and hit the
enter key.
In the topmost line of the resulting listing, you should see a version
number of the form x.yy.zzzz. The final four digits are the version
number.
Patch:
Patch details can be found in Microsoft's original advisory at:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp
ADDITIONAL INFORMATION
The original Microsoft security advisory can be obtained at:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp
Or on Microsoft Knowledge Base:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;816093>
http://support.microsoft.com/default.aspx?scid=kb;en-us;816093
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Flaw in Winsock Proxy Service and ISA Firewall Service Can Cause Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
