N-074: Microsoft Virtual Machine (VM) Vulnerability

[***** Start Microsoft Security Bulletin MS03-011 *****]

Microsoft Security Bulletin MS03-011    

Flaw in Microsoft VM Could Enable System Compromise (816093)
Originally posted: April 09, 2003

Summary
Who should read this bulletin: Customers using Microsoft® Windows®. 

Impact of vulnerability: Allow attacker to execute code of his or her choice. 

Maximum Severity Rating: Critical 

Recommendation: Customers should install build 3810 or later of the 
Microsoft VM, as discussed below 

End User Bulletin: An end user version of this bulletin is available at: 
http://www.microsoft.com/security/security_bulletins/ms03-011.asp 

Affected Software: 

Versions of the Microsoft virtual machine (Microsoft VM) are identified by 
build numbers, which can be determined using the JVIEW tool as discussed 
in the FAQ. All builds of the Microsoft VM up to and including build 
5.0.3809 are affected by these vulnerabilities. 

Technical details

Technical description: 

The Microsoft VM is a virtual machine for the Win32® operating environment. 
The Microsoft VM is shipped in most versions of Windows (a complete list 
is available in the FAQ), as well as in most versions of Internet Explorer. 

The present Microsoft VM, which includes all previously released fixes to 
the VM, has been updated to include a fix for the newly reported security 
vulnerability. This new security vulnerability affects the ByteCode 
Verifier component of the Microsoft VM, and results because the ByteCode 
verifier does not correctly check for the presence of certain malicious 
code when a Java applet is being loaded. The attack vector for this new 
security issue would likely involve an attacker creating a malicious Java 
applet and inserting it into a web page that when opened, would exploit 
the vulnerability. An attacker could then host this malicious web page on 
a web site, or could send it to a user in e-mail 

Mitigating factors: 

In order to exploit this vulnerability via the web-based attack vector, 
the attacker would need to entice a user into visiting a web site that 
the attacker controlled. The vulnerability themselves provide no way to 
force a user to a web site. 

Java applets are disabled within the Restricted Sites Zone. As a result, 
any mail client that opened HTML mail within the Restricted Sites Zone, 
such as Outlook 2002, Outlook Express 6, or Outlook 98 or 2000 when used 
in conjunction with the Outlook Email Security Update, would not be at 
risk from the mail-based attack vector. 

The vulnerability would gain only the privileges of the user, so customers 
who operate with less than administrative privileges would be at less risk 
from the vulnerability. 

Corporate IT administrators could limit the risk posed to their users by 
using application filters at the firewall to inspect and block mobile code. 

Severity Rating:   
Microsoft VM Critical 
The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0111 

Tested Versions:
Microsoft tested VM builds 5.0.3802 and later to assess whether they are 
affected by these vulnerabilities. Previous versions are no longer supported, 
and may or may not be affected by these vulnerabilities.


Patch availability

Download locations for this patch Download locations for this patch
 
The patch is available to update existing Microsoft VMs via the 
Windows Update web site. 

For Windows 2000 Service Packs 2 & 3 only, the patch is also available at: 
   -  All except Japanese NEC 
   -  NEC Japanese 
Note: A version of the patch that can be downloaded and deployed throughout 
a network is available. Information on obtaining it is available in the FAQ. 


Additional information about this patch

Installation platforms: The new VM build can be installed to update 
Microsoft VMs on the following versions of Windows: 

Microsoft Windows 95 
Microsoft Windows 98 and 98SE 
Microsoft Windows Millennium 
Microsoft Windows NT 4.0, beginning with Service Pack 1 
Windows 2000 Service Pack 2 or Service Pack 3 
Microsoft Windows XP Gold or Service Pack 1. 
Inclusion in future service packs:
The fixes included in this build will be included in all future VM builds. 

Reboot needed: Yes 

Patch can be uninstalled: No 

Superseded patches: 

The new VM build supersedes all builds prior to and including 5.0.3809. 
It includes fixes for all issues discussed in the following Microsoft 
security bulletins: 

MS99-031 
MS99-045 
MS00-011 
MS00-059 
MS00-075 
MS00-081 
MS02-013 
MS02-052 
MS02-069 
Verifying patch installation: Knowledge Base article 816093 provides 
information to verify that you've installed the patch. 

Note: Regardless of the version number viewed from Jview, the registry 
key described in the above article should be the determining factor for 
proper installation of this patch 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed 
in “Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 


Security patches are available from the Microsoft Download Center, and can 
be most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Support: 

Microsoft Knowledge Base article 816093 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. 
Knowledge Base articles can be found on the Microsoft Online Support web 
site. 

Technical support is available from Microsoft Product Support Services. 
There is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides 
additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

V1.0 (April 09, 2003): Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-011 *****]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org