Microsoft Security Bulletin (MS00-011): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-011.mspx announces the availability of a patch that eliminates a vulnerability in the Microsoft® virtual machine (Microsoft VM). The vulnerability could allow a malicious web site operator to read files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet. In both cases the malicious applet would have to know the exact name and location of the files. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability would allow a malicious web site to read - but not to change, add or delete - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet. In both cases the malicious user would need to know the exact location and name of the file that he wanted to read.
Are all Java programs affected by this vulnerability?
No. There are two general classes of Java programs: Java applications, which are hosted on the same machine they run on, and Java applets, which are hosted on web sites and run on user's computers when they visit the site. Only Java applets are affected by this vulnerability.
Because Java applets are untrusted code, they are treated differently than Java applications. They are run within a virtual machine that uses a "sandbox" to restrict what they can do. In general, the sandbox is designed to prevent a Java applet from taking any inappropriate actions on the user's computer. The vulnerability at issue here involves a flaw in the sandbox.
What is the vulnerability?
Among the inappropriate actions that the sandbox should prevent a Java applet from taking is reading files on the user's computer. However, through a complex series of steps, it is possible for an applet to bypass this restriction. The applet could not change, add or delete files, but could send the contents of the files it read back to the web site. It's worth noting, though, the malicious web site operator would need to specify the exact location and name of every file to read on the visitor's computer or the local intranet - there is no capability through this vulnerability to search the user's hard drive.
How would the malicious user know the name and location of the files he wanted to read?
In general, this would be a social engineering problem - the malicious user would need to know something about the computers that he attacked in order to know what files would be present on it, and where they would be located. However, some system files have well-known names and locations, and some programs use standardized locations for storing certain files.
Could this vulnerability be exploited accidentally?
No. The set of steps needed to bypass the sandbox restrictions in this case are extremely unlikely to happen accidentally.
How do I know if I have a version of the Microsoft VM that has the vulnerability?
The easiest way to tell is by checking the software you have installed on your machine:
- If you're using IE 4.x or IE 5.x, you definitely have a version of the VM that's affected by the vulnerability. It doesn't matter what other software you have installed; if IE 4.x or 5.x are installed, you have an affected version of the VM.
- Even if you're not using a version of the IE that is affected by the vulnerability, you could still have an affected version of the Microsoft VM, as it ships as part of other products like Visual Studio. In this case, the best course is to determine the build number for the version of the Microsoft VM you are using and see if you have an affected version.
How do I determine the build number for my version of the Microsoft VM?
- Open a command window:
- On Windows NT or Windows 2000, choose "Start", then "Run", then type "CMD" and hit the enter key.
- On Windows 95 or 98, choose "Start", then "Run" then type "COMMAND" and hit the enter key.
- At the command prompt, type "JVIEW" and hit the enter key.
- The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.
I've determined the build number. How do I tell if I'm affected?
Use this table to determine whether you have an affected version:
|2000-2444||Affected by vulnerability|
|3000-3190||Affected by vulnerability|
|3229-3234||Affected by vulnerability|
|Any other value||Not affected by vulnerability|
What does the patch do?
The patch restores the sandbox restrictions in order to prevent this vulnerability.
Where can I get the patch?
The download location for new versions of the VM and patches is provided in the "Patch Availability" section of the security bulletin
How can I verify that I installed the new version correctly?
Just check the build number, using the directions above in "How do I determine the build number?" then use the following table:
|If your version of Microsoft VM is in this build series...||You've correctly installed the new version if JVIEW indicates that the build number is...|
|2000 series||2445 or higher|
|3100 series||3192 or higher|
|3200 series||3239 or higher|
What is Microsoft doing about this issue?
- Microsoft has developed new versions and patches that eliminate the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft Security Advisor web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.