What's this bulletin about?
Microsoft Security Bulletin MS00-081 announces the availability of a patch that eliminates a vulnerability in Microsoft® virtual machine (Microsoft VM). Microsoft is committed to protecting customers' information,and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a new variant of the "VM File Reading" vulnerability discussed in Microsoft Security Bulletin MS00-011. Like the original vulnerability, the new variant would allow a malicious web site to read - but not to change, add or delete - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet.
The patch provided in the Patch Availability section of this bulletin provides protection against all known variants of the vulnerability. As a result, customers who previously installed the patch provided in MS00-011 should also install the patch provided here. However, customers who have not installed the MS00-011 patch only need to install the one provided here in order to be fully protected against both variants.
Are all Java programs affected by this vulnerability?
No. There are two general classes of Java programs: Java applications, which are hosted on the same machine they run on, and Java applets, which are hosted on web sites and run on user's computers when they visit the site. Only Java applets are affected by this vulnerability.
Because Java applets are untrusted code, they are treated differently than Java applications. They are run within a virtual machine that uses a "sandbox" to restrict what they can do. In general, the sandbox is designed to prevent a Java applet from taking any inappropriate actions on the user's computer. The vulnerability at issue here involves a flaw in the sandbox.
What is the vulnerability?
Among the inappropriate actions that the sandbox should prevent a Java applet from taking is reading files on the user's computer. However, through a complex series of steps, it is possible for an applet to bypass this restriction. The applet could not change, add or delete files, but could send the contents of the files it read back to the web site.
How does the new variant differ from the original variant?
The two vulnerabilities are very similar. The effect of the vulnerabilities is the same, and both involve the same general mechanism.
Would the malicious user need to know the name and location of the files he wanted to read?
This is one area in which the new variant is slightly different from the original one. In the original variant, the malicious user would need to know in advance the names of all files he wanted to read, and program them into the applet. The new variant makes things slightly easier for the malicious user, depending on where the files are located:
- If the malicious user exploited the vulnerability to read files directly from the victim's computer, it would be possible for the applet to determine the names of the files present on the computer.
- If the malicious user exploited the vulnerability to read files on the victim's intranet, it would be somewhat more difficult. The applet could not determine the names of machines and shares on the victim's intranet. However, if these were known, the applet could determine what files existed on them. For instance, the applet could not determine that a share named \\server1\myfiles existed on the intranet, but if the malicious user could learn this information through other means, his applet could list the files on \\server1\myfiles and select particular ones.
Could this vulnerability be exploited accidentally?
No. The set of steps needed to bypass the sandbox restrictions in this case are extremely unlikely to happen accidentally.
How do I know if I have a version of the Microsoft VM that has the vulnerability?
The easiest way to tell is by checking the software you have installed on your machine:
- If you're using IE 4.x or IE 5.x, you definitely have a version of the VM that's affected by the vulnerability. It doesn't matter what other software you have installed; if IE 4.x or 5.x are installed, you have an affected version of the VM.
- Even if you're not using a version of the IE that is affected by the vulnerability, you could still have an affected version of the Microsoft VM, as it ships as part of other products like Visual Studio. In this case, the best course is to determine the build number for the version of the Microsoft VM you are using and see if you have an affected version.
How do I determine the build number for my version of the Microsoft VM?
- Open a command window:
- On Windows NT or Windows 2000, choose "Start", then "Run", then type "CMD" and hit the enter key. On Windows 95 or 98, choose "Start", then "Run" then type "COMMAND" and hit the enter key.
- At the command prompt, type "JVIEW" and hit the enter key.
- The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.
I've determined the build number. How do I tell if I'm affected?
Use this table to determine whether you have an affected version:
| Build Number | Status |
|---|
| 3318 or earlier | Affected by the vulnerability |
| All other versions | Not affected by the vulnerability or not a supported VM version |
Note: All users who have an affected version of the Microsoft VM should install the new VM build.
I applied the patch for the original version of the vulnerability. Does that patch eliminate the new variant?
No. To protect against both of the known variants of this vulnerability, you should apply the patch discussed in the Patch Availability section of this bulletin.
- The patch provided in Microsoft Security Bulletin MS00-011 only protects against the original variant of the vulnerability.
- The patch provided in this bulletin protects against both known variants of the vulnerability. If you apply it, you don't need to apply the patch provided in Microsoft Security Bulletin MS00-011.
What does the patch do?
The patch restores the sandbox restrictions in order to prevent this vulnerability.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
Just check the build number, using the directions above in "How do I determine the build number?" then use the following table: Use this table to determine whether you have an affected version:
| If your version of Microsoft VM is in this build series... | You've correctly installed the new version if JVIEW indicates that the build number is... |
|---|
| 3000 series | 3319 or higher |
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
