Microsoft Security Bulletin MS03-011 - Critical

Technical description:

The Microsoft VM is a virtual machine for the Win32® operating environment. The Microsoft VM is shipped in most versions of Windows (a complete list is available in the FAQ), as well as in most versions of Internet Explorer.

The present Microsoft VM, which includes all previously released fixes to the VM, has been updated to include a fix for the newly reported security vulnerability. This new security vulnerability affects the ByteCode Verifier component of the Microsoft VM, and results because the ByteCode verifier does not correctly check for the presence of certain malicious code when a Java applet is being loaded. The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a web page that when opened, would exploit the vulnerability. An attacker could then host this malicious web page on a web site, or could send it to a user in e-mail.

Mitigating factors:

• In order to exploit this vulnerability via the web-based attack vector, the attacker would need to entice a user into visiting a web site that the attacker controlled. The vulnerability itself provide no way to force a user to a web site.
• Java applets are disabled within the Restricted Sites Zone. As a result, any mail client that opened HTML mail within the Restricted Sites Zone, such as Outlook 2002, Outlook Express 6, or Outlook 98 or 2000 when used in conjunction with the Outlook Email Security Update, would not be at risk from the mail-based attack vector.
• The vulnerability would gain only the privileges of the user, so customers who operate with less than administrative privileges would be at less risk from the vulnerability.
• Corporate IT administrators could limit the risk posed to their users by using application filters at the firewall to inspect and block mobile code.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0111

Tested Versions:

Microsoft tested VM builds 5.0.3802 and later to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What security vulnerability is eliminated by the new VM build?
This VM build includes all previously released security fixes, as well as fixing a newly reported security vulnerability that affects the ByteCode Verifier and could allow an attacker to run code of his or her choice on a user's system.

What is the Microsoft VM?
The Microsoft virtual machine (Microsoft VM) enables Java programs to run on Windows platforms. The Microsoft VM is included in most versions of Windows and Internet Explorer. The vulnerability discussed here affects all customers who have the Microsoft VM.

I don't know if the Microsoft VM is installed on my system. How can I tell?
If you're using any of the following versions of Windows, you definitely have the Microsoft VM installed:

• Microsoft Windows 95
• Microsoft Windows 98 and 98SE
• Microsoft Windows Millennium
• Microsoft Windows NT 4.0, beginning with Service Pack 1
• Microsoft Windows 2000 versions prior to Service Pack 4
• Microsoft Windows XP

The Microsoft VM also shipped as part of several versions of Internet Explorer and other products. If you're in doubt about whether you have it installed, do the following:

1. Select Start, then Run.
2. Open a command box, as follows:
   • If you are running Windows 98 or Windows Millennium, type "command" (without the quotes), then hit the enter key.
   • If you are running Windows NT 4.0, Windows 2000, or Windows XP, type "cmd" (without the quotes), then hit the enter key.
     • In the resulting command box, type "Jview" (without the quotes). If a program runs, you have the Microsoft VM installed. If you receive an error saying that no program by that name exists, you don't.

Is this a new version of the Microsoft VM?
Yes, Microsoft VM build 3810 is a new release of the Microsoft VM.

How can I tell what version of the Microsoft VM I'm using?
Here's how to determine the build number you're using:

1. Select Start, then Run.
2. On Windows 95, 98, or Me, type "command" (without the quotes). On Windows NT 4.0, 2000, or XP, type "cmd" (again, without the quotes). Hit the enter key.
3. In the result command box, type "Jview" (without the quotes) and hit the enter key.
4. In the topmost line of the resulting listing, you should see a version number of the form x.yy.zzzz. The final four digits are the version number.

Once I know the version number, what should I do?
Use the table below to determine the right action.

What causes the vulnerability?
The Vulnerability results because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM.

What is the ByteCode Verifier?
The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM.

What's wrong with the ByteCode verifier in the Microsoft VM?
There is a flaw in the way the ByteCode Verifier conducts its checks when it is loading code. It does not check correctly for a particular illegal sequence of byte codes, therefore a malicious applet could be used to take advantage of this missing check and bypass subsequent security checks.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to construct a malicious Java applet which could be used to execute code of the attacker's choice on a user's machine. The attacker could only run their code with the same permissions as the user, so any restrictions placed on the user would also affect the attacker as well.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a malicious Java applet and inserting it into a web page. The web page could then be hosted on a web site, or sent to a user in e-mail.

What risk would the mail-based attack vector pose?
The disadvantage to an attacker of sending an applet in an HTML mail is that most recent Microsoft mail clients do not allow Java applets in email to run. By default, Outlook Express 6 and Outlook 2002 prevent Java applets embedded in HTML mail from running. Similarly, Outlook 98 and 2000 prevent Java applets from running if the Outlook Email Security Update has been installed. The advantage to the attacker of is that they could target specific users - that is, the attacker wouldn't need to wait for users to visit their web site, but instead could send the applet directly to them.

What does the patch do?
The patch eliminates the vulnerability by ensuring the ByteCode Verifier carries out the correct checks when loading a Java applet.

Workarounds

Are there any workarounds that I can apply while I am evaluating or testing the new Microsoft VM?
There are a number of workarounds that you may be able to apply temporarily while you evaluate and test the new Microsoft VM:

• In an enterprise environment, application filters may be used at the firewall to inspect and/or block mobile code
• The e-mail attack vector is prevented by default if one of the later Microsoft e-mail clients is used, such as such as Outlook 2002 or Outlook Express 6. With earlier Microsoft Outlook clients such as Outlook 98 or 2000, the e-mail vector is blocked if the Outlook Email Security Update is used.
• Java applets can be prevented from executing in the Internet Explorer Internet Zone. Note that disabling Java applets may affect your ability to view certain web pages. To do this carry out the following instructions:
  • On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
  • In the Settings box, click Disable Java under Java Permissions, click OK and then click OK again.

Microsoft Java Virtual Machine is no longer in support. For more information, please refer to Microsoft Java Virtual Machine and Microsoft Java Virtual Machine Support.