Microsoft Virtual Machine hole needs to be plugged

Many Windows systems may be vulnerable to a flaw that's been discovered in the Microsoft Virtual Machine, which is used to run Java code on Windows. The flaw could allow an attacker to run malicious code by tricking users.

Microsoft Security Bulletin MS03-011, “Flaw in Microsoft VM Could Enable System Compromise,” reports that a critical-rated vulnerability has been found in all versions of Microsoft’s Virtual Machine, the software that runs Java applications in Microsoft Windows and Internet Explorer.

The newly discovered vulnerability is due to a flaw in the way the ByteCode Verifier loads. This is a low-level process that determines whether the Java code is valid. A carefully crafted applet on a Web site or sent via HTML e-mail could bypass any security checks.

For more information about how Microsoft supports Java, see the Microsoft Virtual Machine index page. On that page, you’ll also find links to the current status of the legal wrangling between Sun and Microsoft over just which version of the Virtual Machine will ship with Microsoft products.

According to the Microsoft Security bulletin, “all builds of the Microsoft Virtual Machine up to and including build 5.0.3809 are affected by these vulnerabilities.” The Microsoft Virtual Machine is likely to be found running on all versions of Windows starting with Windows 95. To determine whether your system has Microsoft Virtual Machine installed, open the command prompt and run the command jview.

If the Microsoft Virtual Machine is installed, the program will execute and present a list of options. The top line will also include the version number. For example, this might be 5.00.3161 on an early Windows XP installation.

The latest version of the Microsoft Virtual Machine is 5.0.3810. If you have that version installed—or you don't have the Microsoft Virtual Machine installed at all—no action is required.

Risk level—critical
Exploiting the hole in this piece of code can enable an attacker to run arbitrary code on the penetrated system.

Mitigating factors
As usual with this sort of threat, the attacker needs to entice a user to visit a particular Web site or open malicious HTML e-mail. Any system that has been configured so that HTML e-mail is opened in the Restricted Zone will be safe from this attack.

On a network, this attack will grant the same privileges as those held by the user who was attacked. Firewalls may provide protection against this attack vector.

Fix—Upgrade Virtual Machine
The new VM build, which Microsoft reports can be installed on Windows 98 and later systems, addresses all the issues discussed in the following Microsoft security bulletins:

Microsoft doesn’t specifically say that you can’t install this new build on Windows 95 systems, so it may have been left out simply because the company no longer supports Windows 95.

Final word
Although users would have to be tricked into visiting a malicious Web site containing Java code designed to exploit this vulnerability, we all know that users can often be tricked into doing a lot of things, so this is a significant threat. I also have my doubts about just how many systems are properly configured to open malicious HTML e-mails in the Restricted Zone.

Editor's Picks