Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-045)
What's this bulletin about?
Microsoft Security Bulletin MS99-045 announces the availability of a new version of the Microsoft VM that eliminates a security vulnerability. The vulnerability could allow a Java program on a web page to take unauthorized actions against a user who visited the page, as discussed below. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
A web-hosted Java program could take unauthorized, potentially malicious actions against visitors to the web site. The specific actions that could be taken are limited only by the privileges of the user. If a user were web browsing in an account that had few privileges on the computer, the controls might be able to cause little damage; on the other hand, if a user in a highly-privileged account browsed an affected web page, the controls would have all of the user's significant privileges on the local machine. Examples of the type of actions that could be taken in most cases include reading, writing, and deleting files, reformatting the hard drive, or copy data to/from a web page.
Are all Java programs affected by this vulnerability?
No. There are two general classes of Java programs: Java applications, which are hosted on a local machine and run like any other program, and Java applets, which are hosted on web sites and run when a web site visitor arrives at a particular page. Java applets are treated differently from Java applications. Because they are untrusted code, the virtual machine runs them in a "sandbox" that restricts what they are allowed to do. In general, the sandbox is designed to prevent a Java applet from making any changes to the data on the user's computer. The vulnerability at issue here involves the sandboxing function, and so affects only Java applets.
What's the vulnerability?
A scenario has been identified through which a Java applet could escape the sandbox via an illegal cast operation.
What's a cast operation?
Casting is the process of converting from one type to another, and is a staple of virtually all computer languages. The most familiar type of cast operation involves converting between data types. For instance, a program might need to cast an integer variable to a floating point; if the value of the variable were 1, the cast operation would convert it to a floating point value of 1.0. However, cast operations can go beyond just converting data types. In the particular case at hand, it's possible to convert private classes to public ones, thereby enabling a Java applet to request services that it normally would be prevented from requesting. These services would allow the applet to take virtually any action that it was programmed to take, limited only by the privileges of the user who ran it.
How difficult would it be to exploit this vulnerability?
It would be very difficult. A malicious user could not exploit this vulnerability by simply writing a Java applet and compiling it. Instead, he or she would need to edit the binary version of the applet and change specific values. This could not happen accidentally.
Does disabling Java applets in IE protect against this vulnerability?
Yes. If you've disabled Java applets, they cannot run and you cannot be affected by this vulnerability. Microsoft recommends that you consider upgrading to the new version even if you have disabled Java applets in IE, as you may decide later to re-enable Java support.
How do I know if I have a version of the Microsoft VM that has the vulnerability?
The easiest way to tell is by checking the software you have installed on your machine:
- If you're using IE 4 or IE 5, you definitely have a version of the VM that's affected by the vulnerability. It doesn't matter what other software you have installed; if IE 4 or 5.0 are installed, you have an affected version of the VM.
- Even if you're not using a version of the IE that is affected by the vulnerability, you could still have an affected version of the Microsoft VM, as it ships as part of other products like Visual Studio. In this case, the best course is to determine the build number for the version of the Microsoft VM you are using and see if you have an affected version.
How do I determine the build number for my version of the Microsoft VM?
- Open a command window:
- On Windows NT, choose "Start", then "Run", then type "CMD" and hit the enter key.
- On Windows 95 or 98, choose "Start", then "Run" then type "COMMAND" and hit the enter key.
- At the command prompt, type "JVIEW" and hit the enter key.
- The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.
I've determined the build number. How do I tell if I'm affected?
Use this table to determine whether you have an affected version:
|2000-2441||Affected by vulnerability|
|3000-3187||Affected by vulnerability|
|Any other value||Not affected by vulnerability|
I have an affected version. How can I eliminate the problem?
There are two options for doing this, as discussed in the "Patch Availability" section of the bulletin:
- Apply patches that correct the specific problem at hand. The advantage here is that the download time is much less. However, there are more steps involved in applying the patches.
- Download a new version of the Microsoft VM. Downloading a new version requires fewer steps, because you only need to download one file and install it. However, the file is 6 megabytes in size, so the download could take a long time, depending on modem speed.
I want to apply patches to correct the problem. How do I do this?
As discussed in the "Patch Availability" section of the bulletin, the WindowsUpdate site provides patches for the problem. However, the behavior that you'll see at the WindowsUpdate site will vary depending on the version of the VM that's installed.
- If you have a version of the VM prior to build 3167, you will not see an option to install a patch when you initially visit the WindowsUpdate site. Instead, you'll see a Critical Update labeled "Microsoft Virtual Machine". This update installs build 3167 of the VM. Once you've completed the installation, go back to the WindowsUpdate site. This time, you'll see a Critical Update labeled "Security Update for Microsoft Virtual Machine". This applies the patch against this vulnerability, and increases your build number as shown by the Jview tool to 3176.
- If you already have build 3167 installed on your machine, you'll see a Critical Update labeled "Security Update for Microsoft Virtual Machine". This applies the patch against this vulnerability, and increases your build number as shown by the Jview tool to 3176.
- If you have a build greater than 3167 installed on your machine, you cannot use WindowsUpdate to patch the vulnerability. Instead, you must download a new version from the http://www.microsoft.com/mscorp/java/ site, as discussed below.
How can I verify that I installed the patches correctly?
Just go back to the WindowsUpdate site, and click on "Show Installed Updates". If "Security Update for Microsoft Virtual Machine" is listed, you've installed the patch correctly.
It is very important to note that if you used the WindowsUpdate site to apply the patches, you cannot verify the installation using the table of build numbers provided in "I've determined the build number. How do I tell if I'm affected?" above. The table only applies to versions of the VM that were not installed via WindowsUpdate.
I want to download a new version of the VM. How do I do this?
As discussed in the "Patch Availability" section of the Security Bulletin, there are new versions available for the 2000 and 3000 series. (You have a 2000 series build if your build number starts with 2, and a 3000 series build if it starts with 3). Download and install the version that's appropriate for your build. (By the way, you can upgrade from the 2000 series to the 3000 series if you like; just download and install the new 3000 series version).
How can I verify that I installed the new version correctly?
Just check the build number, using the directions above in "How do I determine the build number?" then use the following table:
|If your version of Microsoft VM is in this build series...||You've correctly installed the new version if JVIEW indicates that the build number is...|
|20000 series||2442 or higher|
|3000 series||3188 or higher|
It is very important to note that if you installed a new version of the VM from the http://www.microsoft.com/mscorp/java/ site, you cannot use the WindowsUpdate site to verify that you installed it correctly. The only way to verify the installation is via the table above.
Will this vulnerability be eliminated in IE 5.01?
Yes. The version of the Microsoft VM that will ship with IE 5.01 will not be affected by this vulnerability.
What is Microsoft doing about this issue?
- Microsoft has developed a new version of the Microsoft VM that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the new version of the Microsoft VM.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and new version of the Microsoft VM in more detail.
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
Where can I learn more about the Microsoft VM?
The Microsoft Technologies for Java web site is the best to place to get information about Microsoft's Java development efforts.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.