COMMAND

	Microsoft Virtual Machine Bytecode Verifier Vulnerability

SYSTEMS AFFECTED

	Microsoft Windows 9x, Me, NT, 2000, XP

PROBLEM

	K-Otik.com [http://www.k-otik.com] found following:
	
	A vulnerability identified in Microsoft  VM  (Virtual  Machine)  shipped
	with almost all versions of Windows (except  some  versions  of  Windows
	XP) can be exploited by malicious people to compromise a user's system.
	
	The vulnerability  is  caused  by  an  input  validation  error  in  the
	ByteCode  Verifier,  since  it  doesn't  check  for  certain   malicious
	sequences  of  byte  codes  when  loading  Java  applets.  This  can  be
	exploited by crafting a special Java applet and include it in web  page,
	which can either be hosted on a website or sent directly to  a  user  in
	an email.
	
	When a user on a vulnerable system views the  malicious  web  page,  the
	Java applet will be able to execute arbitrary code on the user's  system
	with the user's privileges.
	
	In the email scenario, the vulnerability can be exploited  automatically
	to execute arbitrary code on the user's system when the malicious  email
	is viewed. However, this is not possible if  the  user  is  viewing  the
	malicious email in Outlook Express 6.0 or Outlook 2002 in their  default
	configurations, or Outlook 98 or Outlook 2000 in  conjunction  with  the
	Outlook Email Security Update.
	
	To check the version number of the installed Microsoft VM:
	 1) Type "Jview" at the command line.
	 2) Look at the four last digits of the version number at the topmost line.
	
	

SOLUTION

	Update Microsoft VM to version 3810 or later.