Critical flaw in Windows could allow rogue Java code

Microsoft has revamped its ratings of security bulletins to save the Critical rating for really dangerous threats. One of the first to receive this new rating is a lethal flaw in the Microsoft Virtual Machine.

One of the first security bulletins to rate Microsoft’s new, tougher Critical criteria is MS02-069, which includes notice of a COM Object Access Vulnerability that may let attackers run untrusted Java applets and therefore take over a Windows system remotely and perform almost any action and read or modify any file. The bulletin also covers seven other risks associated with the Microsoft Virtual Machine.

Part of the new policy implemented by Microsoft is a dual bulletin system that also includes a less technical, user-oriented version of this bulletin, which will provide all the details needed by most users.

The Microsoft Virtual Machine involved in these reported vulnerabilities is the engine used to run Java applets on all Windows systems and can be found on nearly all systems running Windows 98 or later.

Some of the problems corrected by this patch are rated as Low threats, but the inclusion of one Critical and one Important threat, along with two Moderate threats, should make this a mandatory upgrade for many systems, with the notable exception of those that have reasonable protection as detailed below in the “Mitigating factors” section.

The Component Object Module Object Access Vulnerability is the most dangerous because it allows an attacker to bypass normal security procedures that should prevent untrusted Java applets from running.

The part of this multifaceted fix that addresses the critical COM vulnerability is directed at closing the loophole so that the VM will run only trusted Java applets, whether the user encounters them by visiting a Web site or from opening an HTML e-mail message.

Another vulnerability, rated Important by Microsoft, is the CODEBASE Spoofing Vulnerability. Exploiting this vulnerability would allow an attacker to read, but not alter, files on the vulnerable system.

Virtually all installed versions of the Microsoft Virtual Machine are covered by this bulletin, but specifically those with build versions up to and including build 5.0.3805. To confirm that your system has VM installed, open the Command Prompt and run the command jview. This should bring up a help screen and list the current version number, if you have the Microsoft VM installed.

Risk level—critical
The Critical COM Object Access Vulnerability could allow an attacker’s Java applet, which came either from a malicious Web site or an HTML e-mail, to gain complete access to the data on the vulnerable system, including the content of cookies and other sensitive information.

Other vulnerabilities addressed by the same patch pose a variety of threat levels but, since one patch fixes all, you should refer to the Microsoft bulletin if you need more details after reading about the mitigating factors.

Mitigating factors
Microsoft reports that Web-based COM Object Access Vulnerability attacks would be blocked if Java applets are disabled in the IE security zone that covers the attacker’s Web site.

E-mail attacks would be blocked by Outlook Express 6 and Outlook 2002, which disable Java by default, and by Outlook 98 or 2000, either of which disables Java if the Outlook Email Security Update is installed.

The CODEBASE vulnerability would also be mitigated by the same factors, as would both of the Moderate threats, and all but one of the Low threats.

See the security bulletin for instructions on how to upgrade various versions. If running jview shows that you already have a version later than 3809 installed, then you don’t need to update. All these vulnerabilities are supposed to be corrected in that and later versions, and so can be fixed by upgrading to a new version of VM.

All but one of these vulnerabilities are mitigated in some common configurations, and the one that isn’t is a very low-level threat (Incomplete Java Object Instantiation Vulnerability); it would simply cause the VM to crash until restarted. As a result, many installations may not need this upgrade, but it’s important to verify that the Outlook protections are in place for your systems before relying on the mitigating factors for protection.

Final word
I think this is a good example of the way Microsoft intends to use the new rating system. In this security bulletin, a single update to the Virtual Machine is grouped in with a variety of other fixes. However, the use of the Critical rating makes it easy to determine if you need to install the patch. As stated above, good security practices would probably block the attack vector on the one critical flaw, so there may not be a real need to apply this patch. But at least it’s easy to identify this security bulletin as one that must be evaluated on a case-by-case basis.


Editor's Picks