MS02-069: Flaw in Microsoft VM May Compromise Windows (810030)


The information in this article applies to:

  • Microsoft virtual machine, when used with:
    • the operating system: Microsoft Windows XP
    • the operating system: Microsoft Windows 2000 SP2
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98 Second Edition
    • the operating system: Microsoft Windows 98

SYMPTOMS

The Microsoft virtual machine (Microsoft VM) is a virtual machine for the Win32 environment. The Microsoft VM is included in most versions of Windows and in most versions of Microsoft Internet Explorer.

A new version of the Microsoft VM is available that includes all previously released fixes for Microsoft VM and fixes for eight newly reported security issues. The attack vectors for all the new issues are most likely the same. An attacker can create a Web site that, when opened, exploits the particular vulnerability and either hosts the attack vector on a Web site or sends it to a user as an HTML mail message.

The newly reported security issues are:
  • A security vulnerability through which an untrusted Java applet can access Component Object Model (COM) objects

    By design, COM objects expose functionality, and therefore, should be available only to trusted Java programs. Some COM objects provide functionality through which an attacker may be able to take control of the system.
  • A pair of vulnerabilities that can disguise the actual location referred to by an applet's codebase attribute

    Although each vulnerability has different underlying causes, they both have the same potential effect. By design, a Java applet that resides on user storage or a network share has read access to the folder that it resides in and to all folders below it. These vulnerabilities provide methods by which an applet that is located on a Web site can be made to misrepresent its location in its codebase attribute. That is, the applet appears to reside on the user's local system or a network share instead of in its actual location.
  • A vulnerability that can permit an attacker to construct a URL that, when parsed, loads a Java applet from one Web site but misrepresents it as belonging to another Web site

    This vulnerability permits the attacker's applet to run in the other site's domain. Any information that the user provides to this applet can be relayed back to the attacker.
  • A vulnerability that permits an applet to modify database contents

    This vulnerability occurs because the Microsoft VM does not prevent applets from calling the JDBC APIs, a set of APIs that provide database access methods. By design, these APIs provide functionality to add, change, delete, and modify database contents, and they are subject only to the user's permissions.
  • A vulnerability through which an attacker can temporarily prevent specified Java objects from being loaded and run

    The Standard Security Manager, an earlier version security mechanism, permits a user to impose restrictions on Java applets, including preventing them from running at all. However, the Microsoft VM does not adequately control access to the Standard Security Manager, and therefore, an attacker's applet can add other Java objects to the "banned" list.
  • A vulnerability through which an attacker can learn a user's user name on the user's local computer

    This vulnerability occurs because the user.dir system property is available to untrusted applets. Although knowing a user name does not in itself pose a security risk, an attacker may find this information useful for reconnaissance purposes.
  • A vulnerability that occurs because a Java applet may perform an incomplete instantiation of another Java object

    This causes the containing program (Internet Explorer) to fail.

RESOLUTION

To resolve this problem, install the "810030: Microsoft VM Security Update" package. This update upgrades your Microsoft VM to version 5.00.3809. All versions of the Microsoft VM earlier than 5.00.3809 are affected by the vulnerabilities that are listed in the "Symptoms" section of this article.

Locate the Update

To locate the update, visit the "Critical Updates" section of the following Microsoft Windows Update Web site:

http://windowsupdate.microsoft.com

Administrators can download this update from the Windows Update Catalog to deploy to multiple computers that already have the Microsoft VM installed. If you need to obtain this update to install later, on one or more than one computer, search for this article ID number using the Advanced Search Options in the Windows Update Catalog. For additional information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:

323166 HOW TO: Download Windows Updates and Drivers from the Windows Update Catalog

Note The Windows 2000 version of this Microsoft VM update requires Windows 2000 Service Pack 2 or later and cannot be installed on any other operating system. To download this update for Windows 2000, select either Windows 2000 SP2 or Windows 2000 SP3 for your operating system.

To download this update for Windows XP, Windows NT 4.0, Windows Millennium Edition (Me), Windows 98 Second Edition, or Windows 98, select Windows XP, Windows Millennium Edition, or Windows 98 for your operating system.

Note Windows NT 4.0-based computers do not have access to the Windows Update Catalog. If you have to download a Windows NT 4.0 package to install on multiple computers, or to install later, access the Windows Update catalog by using a computer than runs Windows 98, Windows Millennium Edition, Windows 2000, Windows XP, or Windows Server 2003, and then select Windows 98, Windows Millennium Edition, or Windows XP for your operating system. This security update is also designed to install on Windows NT 4.0 computers. Administrators who do not have access to a Windows XP, Windows 98, Windows Millennium Edition, Windows 2000, or Windows Server 2003-based computer to use the Windows Update Catalog can contact Microsoft Product Support Services to obtain the patch. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.as px?scid=fh;EN-US;CNTACTMS

Installation Information

You can install this update only on computers with a previous version of the Microsoft VM installed. For additional information about how to install the Microsoft VM silently without restarting your computer, click the following article number to view the article in the Microsoft Knowledge Base:

304930 How to Install the Microsoft Virtual Machine Silently Without Restarting Your Computer

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version         Size       File name
   --------------------------------------------------------------
   20-Mar-2002  11:52                      2,678  Classes.cer
   18-Nov-2002  14:07                  5,751,849  Classes.zip
   18-Nov-2002  14:11  5.0.3809.0        404,752  Javart.dll       
   18-Nov-2002  14:09  5.0.3809.0        172,304  Jview.exe        
   18-Nov-2002  14:11  5.0.3809.0        947,984  Msjava.dll       
   20-Mar-2002  11:52                      2,678  Msjdbc.cer
   18-Nov-2002  14:07                    137,482  Msjdbc.zip
   29-May-2001  00:58                     10,957  Osp.zip
Note After you install the updated VM, all the .zip files will have different names. This is typical behavior and can be ignored. Also note that only some of the files in the Zip package have been changed for this release. However, these files cannot be packaged individually.

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft VM.

MORE INFORMATION

To determine the Microsoft VM build number on a computer that is running Windows 98, Windows 98 Second Edition (SE), or Windows Millennium Edition, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type command, and then click OK.
  3. At the command prompt, type jview, and then press ENTER. Notice that the version information appears on the first line as "Version n.nn.nnnn," where the last four nnnn digits are the build number. For example, 5.00.3802 is Microsoft VM build 3802.
To determine the Microsoft VM build number on a computer running Windows NT 4.0, Windows 2000, or Windows XP, follow these steps:
  1. Click Start , and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. At the command prompt, type the following command, and then press ENTER:

    jview

    Notice that the version information appears on the first line as "Version n.nn.nnnn," where the last four nnnn digits are the build number. For example, 5.00.3802 is Microsoft VM build 3802.
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-069.mspx

Modification Type:MinorLast Reviewed:9/27/2004
Keywords:kbdownload kbbug kbfix KbSECBulletin kbSecurity KbSECVulnerability KbQFE KB810030
©2004 Microsoft Corporation. All rights reserved.