Microsoft Security Bulletin MS99-045
Patch Available "Virtual Machine Verifier" Vulnerability
Patch Availability Information Updated: July 1, 2009
Originally Posted: October 21, 1999
Microsoft has released a new version of the Microsoft® virtual machine (Microsoft VM) that eliminates a security vulnerability that could allow a Java applet to take unauthorized actions on the computer of a web site visitor. Although no standard Java compiler can generate such an applet, a Java applet constructed by hand with a Java bytecode assembler could bypass the sandbox and take virtually any action on the computer that the user would be capable of taking.
Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq99-045.mspx.
The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft Windows® 95, 98 or Windows NT®. It ships as part of each operating system, and also as part of Microsoft Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability in the bytecode verifier that could allow a Java applet to operate outside the bounds set by the sandbox. If hosted on a web site, it could cause any action to be taken on the computer of a visiting user that the user himself could take. This could include, for example, creating, deleting or modifying files, sending data to or receiving data from a web site, or reformatting the hard drive.
Affected Software Versions
Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool, as discussed in the FAQ. The following builds of the Microsoft VM are affected:
- All builds in the 2000 series prior to but not including build 2442
- All builds in the 3000 series prior to but not including build 3188
Note The Microsoft VM ships as part of several products. However, the primary ship vehicle is Internet Explorer. IE 4 ships with builds in the 2000 series; IE 5 ships with builds in the 3000 series.
Vulnerability Identifier: CVE-2000-0327
Please see the following references for more information related to this issue.
- Microsoft Security Bulletin MS99-045: Frequently Asked Questions, http://www.microsoft.com/technet/security/bulletin/fq99-045.mspx.
- Microsoft Knowledge Base (KB) article 244283, Bypassing Java Sandbox Results in VM Security Vulnerability, http://support.microsoft.com/default.aspx?scid=kb;en-us;244283&sd=tech.
Note It may take 24 hours from the original posting of this bulletin for this KB article to be visible.
- Microsoft Security web site, http://www.microsoft.com/technet/security/default.mspx.
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
- October 21, 1999: Bulletin Created.
- October 27, 1999: Bulletin updated to provide information regarding 2000 series builds.
- November 02, 1999: Bulletin updated to provide information regarding availability of patch on WindowsUpdate site.
- V2.0 (March 21, 2003): Introduced versioning and updated patch availability information.
- V3.0 (July 1, 2009): Removed download information because Microsoft Java Virtual Machine is no longer available for distribution from Microsoft. For more information, see Patch Availability.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.