Reported December 11, 2002, by Microsoft.

VERSIONS AFFECTED

 

·         Microsoft Virtual Machine (VM)

·         Microsoft Windows (all versions)

 

 

DESCRIPTION

 

Eight new vulnerabilities have been discovered in Microsoft Virtual Machine (VM). The most serious of these vulnerabilities can give an attacker complete control over the vulnerable system. The eight vulnerabilities are as follows:

·         A security vulnerability through which an untrusted Java applet can access COM objects. By design, COM objects should be available only to trusted Java programs because of the functionality they expose. An attacker can use functionality provided by these COM objects to take control of the system.

·         Two vulnerabilities that have different underlying causes but the same effect: disguising the location of the Java applet’s codebase. By design, a Java applet that resides in user storage or on a network share has read access to the folder in which it resides and all folders below it. The two vulnerabilities provide methods by which an applet located on a Web site can misrepresent the location of its codebase so that it appears to reside on the user’s local system or a network share.

·         A vulnerability that could permit an attacker to construct a URL that when parsed, loads a Java applet from one Web site but misrepresents the applet as belonging to another Web site. The result is that the attacker’s applet runs in the other site’s domain. Any information the user provides can then be relayed to the attacker.

·         A vulnerability that occurs because VM doesn’t prevent applets from calling the Java Database Connectivity (JDBC) APIs--a set of APIs that provide database-access methods. By design, these APIs let you add, change, delete, or modify database contents, subject only to the user’s permissions.

·         A vulnerability through which an attacker can temporarily prevent specified Java objects from loading and running. A legacy security mechanism called the Standard Security Manager (SSM) provides the ability to impose restrictions on Java applets, including preventing them from running. However, VM doesn't adequately regulate access to the SSM; therefore, an attacker’s applet can add other Java objects to the “banned” list.

·         A vulnerability through which an attacker can learn a user’s username on the local system. The vulnerability occurs because the system property user.dir is because of a flaw, mistakenly available to untrusted applets. Although knowledge of a username doesn't in itself pose a security risk, it can be useful for reconnaissance purposes.

·         A vulnerability that occurs because a Java applet can perform an incomplete instantiation of another Java object. The effect of doing so can cause the containing application--Microsoft Internet Explorer (IE)--to fail.

 

 

VENDOR RESPONSE

 

Microsoft has released Security Bulletin MS02-069, "Flaw in Microsoft VM Could Enable System Compromise (810030)," to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch available through Windows Update.

 

CREDIT          

Discovered by GreyMagic Software and Thor Larholm.