|
|
|
|
| |
| Microsoft has released a patch that eliminates a security vulnerability in the Microsoft virtual machine that was originally discussed in the Microsoft Security Bulletin MS00-011. Like the original vulnerability, this new variant enables a malicious web site operator to read files from the computer of a person who visited his site. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected Software versions:
Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool, as discussed below. The following builds of the Microsoft VM are affected:
- All builds in the 2000 series.
- All builds in the 3000 series.
Note: The Microsoft VM ships as part of several products. However, the primary ship vehicle is Internet Explorer.
The Microsoft VM is a virtual machine for the Win32 operating environment. It runs atop Microsoft Windows 95, 98, Me, Windows NT 4.0, and Windows 2000. It ships as part of each operating system, and as part of Microsoft Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that allows a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read - but not change, delete or add - files from the computer of a person who visited his site or read web content from inside an Intranet.
The vulnerability at issue here is a new variant of the vulnerability originally discussed in Microsoft Security Bulletin MS00-011. The only significant difference between the new and original variants lies in the specific programming technique used to exploit the vulnerability; in other respects, the two are virtually identical. Applying the new patch eliminates both the new and original variants.
Patch Availability:
New versions of the Microsoft VM that include a fix for the vulnerability can be downloaded from the following locations:
- 2000-series builds:
A patch specifically for the 2000-series builds will be available shortly. Customers who wish to eliminate the vulnerability can also do so by upgrading to build 3319 at:
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3000-series:
Upgrade to build 3319 or later at
http://www.microsoft.com/java/vm/dl_vm40.htm
Note: 2000-series builds are shipped as part of Internet Explorer 4.x; 3000 series builds are shipped as part of Internet Explorer 5.x. However, customers may upgrade the Microsoft VM on their machines independent of the browser, and the Microsoft VM also ships as part of many other applications, so it is possible for the actual build number to be higher than the one associated with the version of IE that is installed on the machine. In such cases, customers should determine what version of the patch to install based on the build number, not on the version of IE.
What's the scope of the vulnerability?
This is a new variant of the "VM File Reading" vulnerability discussed in Microsoft Security Bulletin MS00-011. Like the original vulnerability, the new variant would allow a malicious web site to read - but not to change, add or delete - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet.
The patch provided in the Patch Availability section of this bulletin provides protection against all known variants of the vulnerability. As a result, customers who previously installed the patch provided in MS00-011 should also install the patch provided here. However, customers who have not installed the MS00-011 patch only need to install the one provided here in order to be fully protected against both variants.
Are all Java programs affected by this vulnerability?
No. There are two general classes of Java programs: Java applications, which are hosted on the same machine they run on, and Java applets, which are hosted on web sites and run on user's computers when they visit the site. Only Java applets are affected by this vulnerability.
Because Java applets are untrusted code, they are treated differently than Java applications. They are run within a virtual machine that uses a "sandbox" to restrict what they can do. In general, the sandbox is designed to prevent a Java applet from taking any inappropriate actions on the user's computer. The vulnerability at issue here involves a flaw in the sandbox.
What is the vulnerability?
Among the inappropriate actions that the sandbox should prevent a Java applet from taking is reading files on the user's computer. However, through a complex series of steps, it is possible for an applet to bypass this restriction. The applet could not change, add or delete files, but could send the contents of the files it read back to the web site.
How does the new variant differ from the original variant?
The two vulnerabilities are very similar. The effect of the vulnerabilities is the same, and both involve the same general mechanism.
Would the malicious user need to know the name and location of the files he wanted to read?
This is one area in which the new variant is slightly different from the original one. In the original variant, the malicious user would need to know in advance the names of all files he wanted to read, and program them into the applet. The new variant makes things slightly easier for the malicious user, depending on where the files are located:
* If the malicious user exploited the vulnerability to read files directly from the victim's computer, it would be possible for the applet to determine the names of the files present on the computer.
* If the malicious user exploited the vulnerability to read files on the victim's intranet, it would be somewhat more difficult. The applet could not determine the names of machines and shares on the victim's intranet. However, if these were known, the applet could determine what files existed on them. For instance, the applet could not determine that a share named \\server1\myfiles existed on the intranet, but if the malicious user could learn this information through other means, his applet could list the files on \\server1\myfiles and select particular ones.
How do I know if I have a version of the Microsoft VM that has the vulnerability?
The easiest way to tell is by checking the software you have installed on your machine:
* If you're using IE 4.x or IE 5.x, you definitely have a version of the VM that's affected by the vulnerability. It doesn't matter what other software you have installed; if IE 4.x or 5.x are installed, you have an affected version of the VM.
* Even if you're not using a version of the IE that is affected by the vulnerability, you could still have an affected version of the Microsoft VM, as it ships as part of other products like Visual Studio. In this case, the best course is to determine the build number for the version of the Microsoft VM you are using and see if you have an affected version.
How do I determine the build number for my version of the Microsoft VM?
- Open a command window:
On Windows NT or Windows 2000, choose "Start", then "Run", then type "CMD" and hit the enter key. On Windows 95 or 98, choose "Start", then "Run" then type "COMMAND" and hit the enter key.
- At the command prompt, type "JVIEW" and hit the enter key.
- The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.
I've determined the build number. How do I tell if I'm affected?
Use this table to determine whether you have an affected version:
Build Number - Status
2000-2447 - Affected by the vulnerability
2752-3194 - Affected by the vulnerability
3229-3240 - Affected by the vulnerability
3300-3318 - Affected by the vulnerability
All other versions - Not affected by the vulnerability or not a supported VM version
Note: All users who have an affected version of the Microsoft VM should install the new VM build.
I applied the patch for the original version of the vulnerability. Does that patch eliminate the new variant?
No. To protect against both of the known variants of this vulnerability, you should apply the patch discussed in the Patch Availability section of this bulletin.
* The patch provided in Microsoft Security Bulletin MS00-011 only protects against the original variant of the vulnerability.
* The patch provided in this bulletin protects against both known variants of the vulnerability. If you apply it, you don't need to apply the patch provided in Microsoft Security Bulletin MS00-011.
What does the patch do?
The patch restores the sandbox restrictions in order to prevent this vulnerability.
How do I use the patch?
Knowledge Base article Q277014 contains detailed instructions for applying the patch to your site.
|
|
|
|
|
|
|
