Multiple Vulnerabilities in Microsoft Virtual Machine

Reported December 11, 2002, byMicrosoft.

VERSIONS AFFECTED

·        Microsoft Virtual Machine (VM)

·        Microsoft Windows (all versions)

DESCRIPTION

Eight new vulnerabilities have beendiscovered in Microsoft Virtual Machine (VM). The most serious of thesevulnerabilities can give an attacker complete control over the vulnerablesystem. The eight vulnerabilities are as follows:

·        A security vulnerability through which an untrusted Javaapplet can access COM objects. By design, COM objects should be available onlyto trusted Java programs because of the functionality they expose. An attackercan use functionality provided by these COM objects to take control of thesystem.

·        Two vulnerabilities that have different underlying causesbut the same effect: disguising the location of the Java applet’s codebase. Bydesign, a Java applet that resides in user storage or on a network share hasread access to the folder in which it resides and all folders below it. The twovulnerabilities provide methods by which an applet located on a Web site canmisrepresent the location of its codebase so that it appears to reside on theuser’s local system or a network share.

·        A vulnerability that could permit an attacker to constructa URL that when parsed, loads a Java applet from one Web site but misrepresentsthe applet as belonging to another Web site. The result is that the attacker’sapplet runs in the other site’s domain. Any information the user provides canthen be relayed to the attacker.

·        A vulnerability that occurs because VM doesn’t preventapplets from calling the Java Database Connectivity (JDBC) APIs--a set of APIsthat provide database-access methods. By design, these APIs let you add, change,delete, or modify database contents, subject only to the user’s permissions.

·        A vulnerability through which an attacker can temporarilyprevent specified Java objects from loading and running. A legacy securitymechanism called the Standard Security Manager (SSM) provides the ability toimpose restrictions on Java applets, including preventing them from running.However, VM doesn't adequately regulate access to the SSM; therefore, anattacker’s applet can add other Java objects to the “banned” list.

·        A vulnerability through which an attacker can learn auser’s username on the local system. The vulnerability occurs because thesystem property user.dir is because of a flaw, mistakenly available to untrustedapplets. Although knowledge of a username doesn't in itself pose a securityrisk, it can be useful for reconnaissance purposes.

·        A vulnerability that occurs because a Java applet canperform an incomplete instantiation of another Java object. The effect of doingso can cause the containing application--Microsoft Internet Explorer (IE)--tofail.

VENDOR RESPONSE

Microsoft hasreleased Security Bulletin MS02-069,"Flaw in Microsoft VM Could Enable SystemCompromise (810030)," to address these vulnerabilities andrecommends that affected users immediately apply the appropriate patch availablethrough Windows Update.

CREDIT          

Discoveredby GreyMagic Software and ThorLarholm.