Microsoft Security Bulletin MS00-081 - Critical
Patch Available for New Variant of 'VM File Reading' Vulnerability
Updated: July 01, 2009
Originally posted: October 25, 2000
On October 25, 2000, Microsoft released this bulletin, to advise customers of the availability of a patch that eliminates a new variant of a security vulnerability affecting the Microsoft® virtual machine (Microsoft VM). On October 27, 2000, we updated the bulletin to advise that fewer versions of the VM are affected than originally reported.
The original variant of the vulnerability was discussed in Microsoft Security Bulletin MS00-011. Like the original vulnerability, the new variant could enable a malicious web site operator to read files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site was visited by a computer from within that intranet.
Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool, as discussed in the FAQ. The following builds of the Microsoft VM are affected:
- All builds in the 3000 series numbered 3318 or earlier.
Note: The Microsoft VM ships as part of several products. However, the primary ship vehicle is Internet Explorer.
The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft Windows® 95, 98, Me, Windows NT® 4.0, and Windows 2000. It ships as part of each operating system, and also as part of Microsoft Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read - but not change, delete or add - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet.
The vulnerability at issue here is a new variant of the vulnerability originally discussed in Microsoft Security Bulletin MS00-011. The only significant difference between the new and original variants lies in the specific programming technique used to exploit the vulnerability; in other respects, the two are virtually identical. Applying the new patch eliminates both the new and original variants.
What's this bulletin about?
Microsoft Security Bulletin MS00-081 announces the availability of a patch that eliminates a vulnerability in Microsoft® virtual machine (Microsoft VM). Microsoft is committed to protecting customers' information,and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a new variant of the "VM File Reading" vulnerability discussed in Microsoft Security Bulletin MS00-011. Like the original vulnerability, the new variant would allow a malicious web site to read - but not to change, add or delete - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet.
The patch provided in the Patch Availability section of this bulletin provides protection against all known variants of the vulnerability. As a result, customers who previously installed the patch provided in MS00-011 should also install the patch provided here. However, customers who have not installed the MS00-011 patch only need to install the one provided here in order to be fully protected against both variants.
Are all Java programs affected by this vulnerability?
No. There are two general classes of Java programs: Java applications, which are hosted on the same machine they run on, and Java applets, which are hosted on web sites and run on user's computers when they visit the site. Only Java applets are affected by this vulnerability.
Because Java applets are untrusted code, they are treated differently than Java applications. They are run within a virtual machine that uses a "sandbox" to restrict what they can do. In general, the sandbox is designed to prevent a Java applet from taking any inappropriate actions on the user's computer. The vulnerability at issue here involves a flaw in the sandbox.
What is the vulnerability?
Among the inappropriate actions that the sandbox should prevent a Java applet from taking is reading files on the user's computer. However, through a complex series of steps, it is possible for an applet to bypass this restriction. The applet could not change, add or delete files, but could send the contents of the files it read back to the web site.
How does the new variant differ from the original variant?
The two vulnerabilities are very similar. The effect of the vulnerabilities is the same, and both involve the same general mechanism.
Would the malicious user need to know the name and location of the files he wanted to read?
This is one area in which the new variant is slightly different from the original one. In the original variant, the malicious user would need to know in advance the names of all files he wanted to read, and program them into the applet. The new variant makes things slightly easier for the malicious user, depending on where the files are located:
- If the malicious user exploited the vulnerability to read files directly from the victim's computer, it would be possible for the applet to determine the names of the files present on the computer.
- If the malicious user exploited the vulnerability to read files on the victim's intranet, it would be somewhat more difficult. The applet could not determine the names of machines and shares on the victim's intranet. However, if these were known, the applet could determine what files existed on them. For instance, the applet could not determine that a share named \\server1\myfiles existed on the intranet, but if the malicious user could learn this information through other means, his applet could list the files on \\server1\myfiles and select particular ones.
Could this vulnerability be exploited accidentally?
No. The set of steps needed to bypass the sandbox restrictions in this case are extremely unlikely to happen accidentally.
How do I know if I have a version of the Microsoft VM that has the vulnerability?
The easiest way to tell is by checking the software you have installed on your machine:
- If you're using IE 4.x or IE 5.x, you definitely have a version of the VM that's affected by the vulnerability. It doesn't matter what other software you have installed; if IE 4.x or 5.x are installed, you have an affected version of the VM.
- Even if you're not using a version of the IE that is affected by the vulnerability, you could still have an affected version of the Microsoft VM, as it ships as part of other products like Visual Studio. In this case, the best course is to determine the build number for the version of the Microsoft VM you are using and see if you have an affected version.
How do I determine the build number for my version of the Microsoft VM?
- Open a command window:
- On Windows NT or Windows 2000, choose "Start", then "Run", then type "CMD" and hit the enter key. On Windows 95 or 98, choose "Start", then "Run" then type "COMMAND" and hit the enter key.
- At the command prompt, type "JVIEW" and hit the enter key.
- The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.
I've determined the build number. How do I tell if I'm affected?
Use this table to determine whether you have an affected version:
|3318 or earlier||Affected by the vulnerability|
|All other versions||Not affected by the vulnerability or not a supported VM version|
Note: All users who have an affected version of the Microsoft VM should install the new VM build.
I applied the patch for the original version of the vulnerability. Does that patch eliminate the new variant?
No. To protect against both of the known variants of this vulnerability, you should apply the patch discussed in the Patch Availability section of this bulletin.
- The patch provided in Microsoft Security Bulletin MS00-011 only protects against the original variant of the vulnerability.
- The patch provided in this bulletin protects against both known variants of the vulnerability. If you apply it, you don't need to apply the patch provided in Microsoft Security Bulletin MS00-011.
What does the patch do?
The patch restores the sandbox restrictions in order to prevent this vulnerability.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
Just check the build number, using the directions above in "How do I determine the build number?" then use the following table: Use this table to determine whether you have an affected version:
|If your version of Microsoft VM is in this build series...||You've correctly installed the new version if JVIEW indicates that the build number is...|
|3000 series||3319 or higher|
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (October 25, 2000): Bulletin Created.
- V1.1 (October 31, 2000): Bulletin updated to indicate that 2000-series builds are not affected by the vulnerability.
- V1.2 (January 26, 2001): Bulletin Updated to reflect update to VM patch version.
- V1.3 (June 1, 2001): Updated Patch availability section.
- V1.4 (July 20, 2002): Update made to download location.
- V1.5 (February 28, 2003): Update made to download location.
- V2.0 (July 1, 2009): Removed download information because Microsoft Java Virtual Machine is no longer available for distribution from Microsoft. For more information, see Patch availability.
Built at 2014-04-18T13:49:36Z-07:00