[ISN] Microsoft Patches Critical Virtual Machine Flaw

From: InfoSec News (isnat_private)
Date: Thu Apr 10 2003 - 00:25:06 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, April 9, 2003"

    By  Dennis Fisher 
    April 9, 2003
    Microsoft Corp. on Wednesday released a patch for a critical new flaw
    in its Virtual Machine Java implementation that gives an attacker the
    ability to run code on a vulnerable computer.
    The Virtual Machine is included in nearly every version of Windows as
    well as in most version of Internet Explorer.
    The vulnerability is in the ByteCode Verifier component of the VM,
    which is part of the class-verification process. The component does
    not correctly check for the presence of some malicious code as Java
    applets are loaded.
    The most likely way for an attacker to exploit this flaw is by
    creating a malicious Java applet, embedding it in a Web page and then
    either enticing a user to visit the page or e-mailing the page to the
    The patch for this vulnerability is available here.
    The Redmond, Wash., company also released a fix for a problem in both
    the Winsock Proxy service in Proxy Server 2.0 and the firewall service
    in the ISA Server 2000. If an attacker sent a specially crafted packet
    to a vulnerable machine, the packet would cause a denial-of-service
    The patch for this issue is here [1].
    [1] http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-012.asp
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Apr 10 2003 - 02:56:25 PDT