Microsoft Security Bulletin MS00-075

Technical description:

The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft® Windows 95, 98, Windows Me, Windows NT 4.0, or Windows 2000. It ships as part of each operating system, and also as part of Microsoft Internet Explorer. The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet, on a malicious web site to take any desired action on a visiting user's machine.

The Microsoft virtual machine (Microsoft VM) contains functionality that allows ActiveX controls to be created and manipulated by Java applications or applets. This functionality is intended to only be available to stand-alone Java applications or digitally signed applets. However, this vulnerability allows ActiveX controls to be created and used from a web page, or from within a HTML based e-mail message, without requiring a signed applet. If a user visited a malicious web site that exploited this vulnerability, a Java applet on one of the web pages could run any desired ActiveX control, even ones that are marked as unsafe for scripting. This would enable the malicious web site operator to take any desired action on the user's machine.

Web sites placed within the Restricted Sites zone in Internet Explorer will not be able to exploit this vulnerability.

What's this bulletin about?
Microsoft Security Bulletin MS00-075 announces the availability of a patch that eliminates a vulnerability in Microsoft® virtual machine (Microsoft VM). The vulnerability could allow a malicious user operating a web site to take any desired action on a visiting user's machine. Microsoft is committed to protecting customers' information,and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This vulnerability could allow a malicious web site operator to take inappropriate action on the machine of a user who visited his site. Specifically, it would let him take any action on the machine that the user himself was capable of taking, such as creating, changing or deleting data, sending data to or receiving data from a web site, reformatting the hard drive, and so forth.
User's with Active Scripting or Scripting of Java applets disabled in their IE security zone will not be affected by this vulnerability.

What is the cause of this vulnerability?
The Microsoft VM contains functionality to create and use ActiveX controls. By design, only a digitally signed applet should be able to use this functionality. However, a flaw in the Microsoft VM could enable an unsigned applet to use it.

Is this a vulnerability in the VM or in ActiveX?
The vulnerability is a flaw with the Microsoft VM and not with any particular ActiveX control or any ActiveX technology.

What is the significance of digitally signed applets in this vulnerability?
By design, a digitally-signed Java applet should be able to run ActiveX controls, as long as the signer is someone the user trusts. This is appropriate, because the digital signature shows who owns the applet, and proves that the applet has not been tampered with.
This vulnerability, however, enables an unsigned applet to take the same action. Clearly, this isn't appropriate, because in this case the applet is untrusted. If such an applet were hosted on a malicious user's web site, it could take actions that only a trusted applet should be able to take.

What ActiveX controls could a Java applet run via this vulnerability?
The vulnerability in the VM could allow any ActiveX control to be used that is present on the user's machine or one that a malicious web site operator hosted on their site.

What could a malicious user do with this vulnerability?
If a malicious web site operator could persuade a user to visit his web site, he could utilize this vulnerability in the Microsoft VM to execute any ActiveX control present on the visiting user's machine. This would effectively let him take any action the user could take. If the user were running in a highly-restricted security context, he might be able to do very little. But if the user were running as a local administrator, the malicious user would gain complete control over the machine.

Why would the ability to execute any desired ActiveX control give the malicious user full control over the machine?
Various ActiveX controls are available that enable the calling application to take virtually any desired action. Normally, the controls that allow dangerous actions to be taken are unavailable because they're marked unsafe for scripting - but this vulnerability in the VM allows malicious users to exploit those controls without any restrictions.

Suppose there weren't an ActiveX control available on my machine to do what the malicious user wanted. What could he do?
The malicious user could host an ActiveX control as an applet, on their web site, and use this vulnerability to take any action on a visiting user's machine.

Could this vulnerability be exploited through an e-mail message?
A malicious user could use an html formatted e-mail to exploit this vulnerability and allow a message to execute within the Preview pane. If the e-mail client is configured to run in the Restricted sites zone the malicious message would not be able to execute.

My security options in IE are set to prevent unsafe ActiveX controls from running. Would this vulnerability enable a malicious user to run them anyway?
Yes. The vulnerability is not with a malicious ActiveX control, but with the Microsoft VM. If Active scripting, or scripting of Java applets were disabled in the security options then a user would not be susceptible to this vulnerability.

My corporate intranet is protected by a firewall. Would this prevent the vulnerability from running code on my machine?
No. Keep in mind that, in order to be affected by the vulnerability, a user would need to first visit a malicious user's web site. In such a case, the web session would have originated from inside the firewall, and all of the subsequently-relayed data would piggyback on that session. This would enable the vulnerability to be exploited through the firewall.

How do I know if I have a version of the Microsoft VM that has the vulnerability?
The easiest way to tell is by checking the software you have installed on your machine: If you're using IE 4.x or IE 5.x, you definitely have a version of the VM that's affected by the vulnerability. It doesn't matter what other software you have installed; if IE 4.x or 5.x are installed, you have an affected version of the VM.
Even if you're not using a version of the IE that is affected by the vulnerability, you could still have an affected version of the Microsoft VM, as it ships as part of other products like Visual Studio. In this case, the best course is to determine the build number for the version of the Microsoft VM you are using and see if you have an affected version.

How do I determine the build number for my version of the Microsoft VM?
Open a command window:

1. On Windows NT or Windows 2000, choose "Start", then "Run", then type "CMD" and hit the enter key.
2. On Windows 95, 98, or Windows Me choose "Start", then "Run" then type "COMMAND" and hit the enter key.
3. At the command prompt, type "JVIEW" and hit the enter key.
4. The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.

I've determined the build number. How do I tell if I'm affected?
Use this table to determine whether you have an affected version:

Note: All users who have an affected version of the Microsoft VM should install the new VM build.

What does the fix do?
The new VM restores the security restrictions in order to prevent this vulnerability.

Note: This fix supersedes the patch supplied in MS00-059

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?
Knowledge Base article Q275609 contains detailed instructions for applying the fix.

How can I tell if I installed the patch correctly?
The Knowledge Base article Q275609 provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article Q275609 explaining the vulnerability and installation procedures in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Microsoft Java Virtual Machine is no longer in support. For more information, please refer to Microsoft Java Virtual Machine and Microsoft Java Virtual Machine Support.