Microsoft released two important security hotfixes during the last 2 weeks of December. If you don’t use Windows XP’s Automatic Update feature to apply hotfixes, you should manually install the hotfix that eliminates an unchecked buffer vulnerability that might let a malicious user run code locally with the rights of the locally logged-on user. All sites should install the latest Virtual Machine (VM) hotfix on all Windows platforms. The latest VM version, 3809, eliminates eight newly discovered flaws, several of which can have severe consequences.

XP Unchecked Buffer
Microsoft released an XP–specific hotfix on December 18. Microsoft Security Bulletin MS02-072 (Unchecked Buffer in Windows Shell Could Enable System Compromise) addresses a buffer-overflow vulnerability in the Windows shell in XP and XP Service Pack 1 (SP1) systems. The Windows shell manages the desktop, organizes files and folders, and runs applications. When you place the mouse cursor over an icon, file, or folder on the desktop, you see a thumbnail description of the item. The shell uses the shmedia.dll function to display this information for .mp3 and .wma sound files. To display a thumbnail of a sound file, shmedia.dll opens and processes custom attribute data embedded in the audio file. A bug in how this function processes the custom attributes lets a malicious user exploit a buffer-overflow loophole to run code of the attacker’s choice.

A user can launch such an attack on a Web site, in a network share, or in an HTML-based email. To do so, the user constructs an .mp3 or .wma file that contains a custom attribute that causes the shell function buffer overflow, then lures a user to preview or display a thumbnail of the audio file. When this exploit is successful, the buffer overrun causes the shell to fail, or in the worst case, permits an attacker to run code with the rights of the logged on user. Because this vulnerability lets an attacker run code of the attacker’s choice, the vulnerability has a critical severity rating. You can download and install the patch from http://microsoft.com/downloads/details.aspx?familyid=a0be7af2-2653-4767-a85d-24bf68d28d20&displaylang=en. Although this vulnerability affects .mp3 and .wma sound files, an attacker can exploit this vulnerability only through the vulnerability in the shmedia.dll function. Windows Media Player (WMP) isn't affected by this flaw and doesn't need an update. For more information about this vulnerability, see the Microsoft article "MS02-072: Unchecked Buffer in Windows Shell Might Permit System Compromise".

New VM Security Flaws
Extensive testing of the Windows virtual machine (VM), the code that executes when you open a command prompt or run a command or program from the Start menu, has uncovered eight new security problems, several of which have a critical severity rating. The latest VM hotfix eliminates vulnerabilities an attacker can exploit to gain full control of a system; read local or network files; redirect a browser to an alternate Web site; and access your username and other data the system caches in memory, cookies, or on the clipboard. To mount such an attack, a malicious user constructs HTML code that takes advantage of the flaws and places this code on a Web site or in an email message. When you browse a Web site or read an email that contains the malicious HTML code, the code can access and copy data that should remain private.

Microsoft Security Bulletin MS02-069 (Flaw in Microsoft VM Could Enable System Compromise) states that these vulnerabilities affect all Microsoft platforms running VM versions 3805 and earlier. I suspect that the security bulletin is slightly outdated because the VM hotfix Microsoft released in October (MS02-052—"Flaw in Microsoft VM JDBC Classes Could Allow Code Execution") upgrades the VM to version 3807. Unless you like playing with fire, I recommend you download this hotfix as soon as possible and apply it to all systems running VM version 3807 and later, not just systems running version 3805.

You can use the Jview command to display the current VM version number. Jview reports version 3805 after you install the October VM hotfix. This inconsistency isn't a problem because you need to install this hotfix on all systems, including those running VM version 3807.

You must use Windows Update to install the hotfix manually and to download the hotfix for internal distribution to multiple machines. When I visited Windows Update, the site informed me that I needed to download a new ActiveX control before I could scan for updates, so don’t be surprised if you see a similar prompt. After scanning the system, Windows Update listed the VM hotfix in the list of critical updates as "810030: Microsoft VM Security Update (Windows 2000)." You can select the hotfix from the list to install it immediately, or you can use the Windows Update Catalog and download the hotfix executable for later installation. To download the file, go to the Windows Update site, click Windows Update Catalog, select Windows 2000 as the OS, and use "810030: Microsoft VM Security Update" as the search string. The Microsoft article "MS02-069: Flaw in Microsoft VM May Compromise Windows" states the hotfix contains eight components: classes.cer, classes.zip, javart.dll, jviewl.exe, msjava.dll, msjdbc.cer, msjdbc.zip, and osp.zip. Most of the files have a release date of November 18, 2002.

After I installed this hotfix manually, the Setup Wizard told me I needed to reboot the system. After the system restarted, the Jview command correctly reported version 3809. This hotfix creates the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\\{08B0E5C0-4FCB-11CF-AAA5-00401C608500\} registry subkey. The value for this subkey shows that the system is running msjava.dll version 3809. As with the previous VM hotfix, this hotfix doesn't appear in the Add/Remove Programs list, so you can't easily uninstall it.