__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Virtual Machine (VM) Vulnerability
[Microsoft Security Bulletin MS03-011]
April 9, 2003 22:00 GMT Number N-074
______________________________________________________________________________
PROBLEM: There is a flaw in the way the Microsoft VM ByteCode Verifier
conducts its checks when it is loading code. It does not check
correctly for a particular illegal sequence of byte codes. A
malicious Java applet could be used to take advantage of this
missing check and bypass subsequent security checks.
AFFECTED
SOFTWARE: Microsoft VM - all builds up to and including build 5.0.3809.
DAMAGE: A remote attacker could potentially gain privileges of the
victim (including root) and execute arbitrary code.
SOLUTION: Administrators should install build 3810 or later of the
Microsoft VM, as discussed in their Security Bulletin.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. The victim would need to visit a website
ASSESSMENT: under the attacker's control or receive an HTML e-mail from the
attacker. Automatic exploitation by an HTML e-mail would be
blocked by Outlook Express 6.0 and Outlook 2000 in their
default configurations, and by Outlook 98 and 2000 if used in
conjunction with the Outlook Email Security Update.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-074.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/MS03-011.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-011 *****]
Microsoft Security Bulletin MS03-011
Flaw in Microsoft VM Could Enable System Compromise (816093)
Originally posted: April 09, 2003
Summary
Who should read this bulletin: Customers using Microsoft® Windows®.
Impact of vulnerability: Allow attacker to execute code of his or her choice.
Maximum Severity Rating: Critical
Recommendation: Customers should install build 3810 or later of the
Microsoft VM, as discussed below
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-011.asp
Affected Software:
Versions of the Microsoft virtual machine (Microsoft VM) are identified by
build numbers, which can be determined using the JVIEW tool as discussed
in the FAQ. All builds of the Microsoft VM up to and including build
5.0.3809 are affected by these vulnerabilities.
Technical details
Technical description:
The Microsoft VM is a virtual machine for the Win32® operating environment.
The Microsoft VM is shipped in most versions of Windows (a complete list
is available in the FAQ), as well as in most versions of Internet Explorer.
The present Microsoft VM, which includes all previously released fixes to
the VM, has been updated to include a fix for the newly reported security
vulnerability. This new security vulnerability affects the ByteCode
Verifier component of the Microsoft VM, and results because the ByteCode
verifier does not correctly check for the presence of certain malicious
code when a Java applet is being loaded. The attack vector for this new
security issue would likely involve an attacker creating a malicious Java
applet and inserting it into a web page that when opened, would exploit
the vulnerability. An attacker could then host this malicious web page on
a web site, or could send it to a user in e-mail
Mitigating factors:
In order to exploit this vulnerability via the web-based attack vector,
the attacker would need to entice a user into visiting a web site that
the attacker controlled. The vulnerability themselves provide no way to
force a user to a web site.
Java applets are disabled within the Restricted Sites Zone. As a result,
any mail client that opened HTML mail within the Restricted Sites Zone,
such as Outlook 2002, Outlook Express 6, or Outlook 98 or 2000 when used
in conjunction with the Outlook Email Security Update, would not be at
risk from the mail-based attack vector.
The vulnerability would gain only the privileges of the user, so customers
who operate with less than administrative privileges would be at less risk
from the vulnerability.
Corporate IT administrators could limit the risk posed to their users by
using application filters at the firewall to inspect and block mobile code.
Severity Rating:
Microsoft VM Critical
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0111
Tested Versions:
Microsoft tested VM builds 5.0.3802 and later to assess whether they are
affected by these vulnerabilities. Previous versions are no longer supported,
and may or may not be affected by these vulnerabilities.
Patch availability
Download locations for this patch Download locations for this patch
The patch is available to update existing Microsoft VMs via the Windows
Update web site.
For Windows 2000 Service Packs 2 & 3 only, the patch is also available at:
All except Japanese NEC
NEC Japanese
Note: A version of the patch that can be downloaded and deployed throughout
a network is available. Information on obtaining it is available in the FAQ.
Additional information about this patch
Installation platforms: The new VM build can be installed to update
Microsoft VMs on the following versions of Windows:
Microsoft Windows 95
Microsoft Windows 98 and 98SE
Microsoft Windows Millennium
Microsoft Windows NT 4.0, beginning with Service Pack 1
Windows 2000 Service Pack 2 or Service Pack 3
Microsoft Windows XP Gold or Service Pack 1.
Inclusion in future service packs:
The fixes included in this build will be included in all future VM builds.
Reboot needed: Yes
Patch can be uninstalled: No
Superseded patches:
The new VM build supersedes all builds prior to and including 5.0.3809.
It includes fixes for all issues discussed in the following Microsoft
security bulletins:
MS99-031
MS99-045
MS00-011
MS00-059
MS00-075
MS00-081
MS02-013
MS02-052
MS02-069
Verifying patch installation: Knowledge Base article 816093 provides
information to verify that you've installed the patch.
Note: Regardless of the version number viewed from Jview, the registry
key described in the above article should be the determining factor for
proper installation of this patch
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed
in “Patch Availability”.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can
be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Support:
Microsoft Knowledge Base article 816093 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web
site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (April 09, 2003): Bulletin Created.
[***** End Microsoft Security Bulletin MS03-011 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-064: Sun Buffer Overflow in Web Connector Module of Application Server
N-065: Multiple Vulnerabilities in Lotus Notes and Domino
N-066: RealPlayer PNG Deflate Heap Corruption Vulnerability
N-067: Sendmail MTA Buffer Overflow Vulnerability
N-068: Sun Solaris Buffer Overflow in lpq(1B) Command
N-069: Sun Solaris newtask(1) Command Vulnerability
N-070: Sun Solaris at(1) Command Vulnerability
N-071: Red Hat Eye of GNOME (EOG) Packages Fix Format String Vulnerability
N-072: Sun Solaris dtsession Security Vulnerability
N-073: Samba 'call_trans2open' Remote Buffer Overflow Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
