Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: n-026.txt

Flaw Microsoft VM (CIAC N-026)


                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

              Flaw in Microsoft VM Could Enable System Compromise
                     [Microsoft Security Bulletin MS02-069]

December 13, 2002 14:00 GMT                                       Number N-026
PROBLEM:       Eight vulnerabilities have been identified in Microsoft virtual
               machine (VM) which revolve around COM objects, Java applets, 
               and Java objects.
SOFTWARE:      All builds of the Microsoft VM up to and including build 
DAMAGE:        The most serious of these vulnerabilities could allow an 
               attacker to gain control of the user's systems using an 
               untrusted Java applet to access COM objects. 
SOLUTION:      Install build 3809 or later. 
VULNERABILITY  The risk is MEDIUM. An attacker would create a web page that, 
ASSESSMENT:    when opened, exploits the desired vulnerability, and either 
               host it on a web page or send it to a user as an HTML mail. 
 ORIGINAL BULLETIN:                                                           
[***** Start Microsoft Security Bulletin MS02-069 *****]

Microsoft Security Bulletin MS02-069  

Flaw in Microsoft VM Could Enable System Compromise (810030)
Originally posted: December 11, 2002


Who should read this bulletin: Customers using Microsoft® Windows®. 

Impact of vulnerability: Eight vulnerabilities, the most serious of which would enable 
an attacker to gain control over another user’s system. 

Maximum Severity Rating: Critical 

Recommendation: Customers should install build 3809 or later of the Microsoft VM, as 
discussed below. 

Affected Software: 

Versions of the Microsoft virtual machine (Microsoft VM) are identified by build 
numbers, which can be determined using the JVIEW tool as discussed in the FAQ. All 
builds of the Microsoft VM up to and including build 5.0.3805 are affected by these 
End User Bulletin: An end user version of this bulletin is available at: 

Technical details

Technical description: 

The Microsoft VM is a virtual machine for the Win32® operating environment. The 
Microsoft VM shipped in most versions of Windows (a complete list is available in the 
FAQ), as well as in most versions of Internet Explorer. 

A new version of the Microsoft VM is available, which includes all previously released 
fixes for the VM, as well as fixes for eight newly reported security issues. The 
attack vectors for all of the new issues would likely be the same. An attacker would 
create a web page that, when opened, exploits the desired vulnerability, and either 
host it on a web page or send it to a user as an HTML mail. 

The newly reported security issues are as follows: 

A security vulnerability through which an untrusted Java applet could access COM 
objects. By design, COM objects should only be available to trusted Java programs 
because of the functionality they expose. COM objects are available that provide 
functionality through which an attacker could take control of the system. 

A pair of vulnerabilities that, although having different underlying causes, would 
have the same effect, namely, disguising the actual location of the applet’s codebase. 
By design, a Java applet that resides on user storage or a network share has read 
access to the folder it resides in and all folders below it. The vulnerabilities 
provide methods by which an applet located on a web site could misrepresent the 
location of its codebase, to indicate that it resided instead on the user’s local 
system or a network share. 

A vulnerability that could enable an attacker to construct an URL that, when parsed, 
would load a Java applet from one web site but misrepresent it as belonging to another 
web site. The result would be that the attacker’s applet would run in the other site’s 
domain. Any information the user provided to it could be relayed back to the attacker. 

A vulnerability that results because the Microsoft VM doesn’t prevent applets from 
calling the JDBC APIs – a set of APIs that provide database access methods. By design, 
these APIs provide functionality to add, change, delete or modify database contents, 
subject only to the user’s permissions. 

A vulnerability through which an attacker could temporarily prevent specified Java 
objects from being loaded and run. A legacy security mechanism known as the Standard 
Security Manager provides the ability to impose restrictions on Java applets, up to 
and including preventing them from running altogether. However, the VM does not 
adequately regulate access to the SSM, with the result that an attacker’s applet could 
add other Java objects to the “banned” list. 

A vulnerability through which an attacker could learn a user’s username on their local 
system. The vulnerability results because one particular system property, user.dir, 
should not be available to untrusted applets but, through a flaw, is. While knowing a 
username would not in itself pose a security risk, it could be useful for 
reconnaissance purposes. 

A vulnerability that results because it’s possible for a Java applet to perform an 
incomplete instantiation of another Java object. The effect of doing so would be to 
cause the containing application – Internet Explorer – to fail. 

Mitigating factors: 
All of the vulnerabilities share a pair of common mitigating factors: 

The web-based attack vector would be blocked if the user had disabled Java applets in 
the Internet Explorer security zone in which the attacker’s web site rendered. 

The email vector would be blocked if the user were running any of several mail 
clients. Specifically, Outlook Express 6 and Outlook 2002 (which ships as part of 
Office XP) disable Java by default, and Outlook 98 and 2000 disable it if the Outlook 
Email Security Update has been installed. 

COM Object Access Vulnerability:
The vulnerability represents a target of opportunity only. The attacker would have no 
means of ensuring that sensitive data would be located in system memory, cookies, the 
clipboard, or other locations. 

CODEBASE Spoofing Vulnerabilities: 

The attacker’s access to files, including those on remote shares, would be limited to 
those of the user. If the user had only limited permissions, so would the attacker. 

Domain Spoofing Vulnerability: 

The vulnerability could only be exploited if the user visited the attacker’s site en 
route to visiting a third-party site. 

The effect of exploiting the vulnerability would apply only to the current web 

JDBC API Vulnerability: 

To exploit this vulnerability, the attacker would need to know the names of each data 
source he or she wanted to access. In most cases, this would require the attacker to 
have insider knowledge of the user’s network. 

The attacker would gain only the user’s own permissions to the data sources. For 
instance, if the user had only read access to a particular database, so would the 

Standard Security Manager Access Vulnerability: 

The effect of exploiting this vulnerability would only persist during the current 
browser session. 

The vulnerability provides no means of modifying an applet’s functioning – only 
preventing it from running. 

User.dir Exposure Vulnerability: 

Knowing a user’s username would not, by itself, enable an attacker to take any action 
against the user. The sole value in learning this information would be for 
reconnaissance purposes, in the hope of using it in some future, unspecified attack. 

Incomplete Java object Instantiation Vulnerability: 

This vulnerability would only enable the attacker to cause Internet Explorer to fail – 
it would not enable the attacker to cause Windows itself, or any other applications, 
to fail. 

The user could restore normal operation by restarting the browser. 

Severity Rating:  
                                                  Severity Rating 
COM Object Access Vulnerability                      Critical 
CODEBASE Spoofing Vulnerabilities                    Important 
Domain Spoofing Vulnerability                        Moderate 
JDBC API Vulnerability                               Moderate 
Standard Security Manager Access Vulnerability       Low 
User.dir Exposure Vulnerability                      Low 
Incomplete Java object Instantiation Vulnerability   Low 

The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. 

Vulnerability identifiers: 

  COM Object Access Vulnerability: CVE-CAN-2002-1257 

  CODEBASE Spoofing Vulnerabilities: CVE-CAN-2002-1258 

  Domain Spoofing Vulnerability: CVE-CAN-2002-1259 

  JDBC API Vulnerability: CVE-CAN-2002-1260 

  Standard Security Manager Access Vulnerability: CVE-CAN-2002-1261 

  User.dir Exposure Vulnerability: CVE-CAN-2002-1254 

  Incomplete Java object Instantiation Vulnerability: CVE-CAN-2002-1263 

Tested Versions:

Microsoft tested VM builds 5.0.3167 to assess whether they are affected by these 
vulnerabilities. Previous versions are no longer supported, and may or may not be 
affected by these vulnerabilities.

Patch availability

Download locations for this patch 

The patch is available to update existing Microsoft VMs via the Windows Update 
web site. 

Note: A version of the patch that can be downloaded and deployed throughout a 
network is available. Information on obtaining it is available in the FAQ. 

Additional information about this patch

Installation platforms: 

The new VM build can be installed to update Microsoft VMs on the following 
versions of Windows: 

  Microsoft Windows 95 
  Microsoft Windows 98 and 98SE 
  Microsoft Windows Millennium 
  Microsoft Windows NT 4.0, beginning with Service Pack 1 
  Windows 2000 Service Pack 2 or Service Pack 3 
  Microsoft Windows XP Gold or Service Pack 1. 

Inclusion in future service packs:
The fixes included in this build will be included in all future VM builds. 

Reboot needed: Yes 

Patch can be uninstalled: No 

Superseded patches: The new VM build supersedes all builds prior to and including 
5.0.3805 It includes fixes for all issues discussed in the following Microsoft 
security bulletins: 


Verifying patch installation:
Knowledge Base article 810030 provides information to verify that you've installed the 

Note: Regardless of the version number viewed from Jview, the registry key described 
in the above article should be the determining factor for proper installation of this 


Localized versions of this patch are available at the locations discussed in “Patch 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 


Microsoft Knowledge Base article 810030 discusses this issue and will be available 
approximately 24 hours after the release of this bulletin. Knowledge Base articles can 
be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There is no 
charge for support calls associated with security patches. 
Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In 
no event shall Microsoft Corporation or its suppliers be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. 


V1.0 (December 11, 2002): Bulletin Created. 
V1.1 (December 12, 2002): FAQ updated to provide additional references regarding using 
the Windows Update Catalog. 

[***** End Microsoft Security Bulletin MS02-069 *****]

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:
   Anonymous FTP:

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-016: Buffer Overrun in Microsoft Data Access Components (MDAC)
N-017: Cisco PIX Multiple Vulnerabilities
N-018: Microsoft Cumulative Patch for Internet Explorer
N-019: Samba Encrypted Password Buffer Overrun Vulnerability
N-020: Red Hat Multiple Vulnerabilities in KDE
N-021: Cumulative Patch for Internet Explorer
N-022: Red Hat Updated wget packages fix directory traversal bug
N-023: Vulnerability in CIFS/9000 Samba Server2 2
N-024: Buffer Overflow Vulnerability in Solaris X Window Font Service
N-025: Vulnerability in RaQ 4 Servers

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH