[ISN] Bug leaves Windows open to Java attack

From: InfoSec News (isnat_private)
Date: Thu Apr 10 2003 - 23:34:32 PDT

  • Next message: InfoSec News: "[ISN] Agencies make security improvements"

    Matthew Broersma   
    10th April 2003
    Microsoft said that its Virtual Machine fails to catch certain
    malicious code in Java applets, allowing an attacker to take control
    of a PC
    Microsoft has warned of three new flaws affecting its software, the
    most serious of which would allow an attacker to gain full control of
    a user's PC using a Java applet.
    The three warnings, all issued on Wednesday, involve the Microsoft
    Virtual Machine for running Java applets on Windows; a cross-site
    scripting bug in a component of Windows 2000 and Windows NT 4.0; and a
    denial-of-service bug affecting Proxy Server 2.0 and ISA Server.
    With the three alerts, Microsoft has issued 12 new warnings so far
    this year. Late last month the company issued patches for Windows and
    The Virtual Machine (VM) flaw is the most serious, meriting a
    "critical" rating from Microsoft. The VM ships with most versions of
    Windows and some versions of Internet Explorer, and is used to run
    programs called "applets" written in Sun Microsystems' Java language.
    A VM component called the ByteCode Verifier does not correctly check
    for the presence of certain malicious code when the applet is being
    loaded, meaning that an attacker could slip malicious code onto a
    user's PC. This malicious applet, which could be delivered via a Web
    page or an email, could allow the attacker to run code of his choice
    on the PC, doing anything from erasing the hard drive to implanting a
    "back door" leaving the machine vulnerable to future attacks.
    Microsoft said that Windows installations containing the VM include
    Windows 95, Windows 98 and 98SE, Windows ME, Windows NT 4.0, beginning
    with Service Pack 1, Windows 2000 and Windows XP.
    VM builds 5.0.3802 up to and including build 5.0.3809 were tested and
    found to be affected, although earlier builds are probably also
    vulnerable, the company said. The latest builds, 3810 and later,
    should be downloaded and installed in order to eliminate the
    vulnerability. Instructions for downloading and installing the
    software can be found on Microsoft's Web site.
    Microsoft noted that for the exploit to work, the attacker would have
    to entice the user to view a malicious Web site or open a malicious
    email. Email clients that place restrictions on HTML content in
    messages, such as some newer versions of Outlook, would prevent the
    attack from succeeding.
    Cross-site scripting bug
    The Cross-site scripting (CSS) bug affects Microsoft Indexing Services
    for Windows 2000 and Windows NT 4.0. Cross-site scripting attacks were
    first publicised in February of 2000, and can affect a variety of
    different server-side software, enabling an attacker to insert
    malicious code into a user's browsing session via a trusted Web site.
    Microsoft said that a component of Indexing Services called
    CiWebHitsFile is vulnerable to a CSS attack, and released a patch to
    fix it. Indexing Services is a search service integrated into Internet
    Information Server and Windows 2000.
    Denial of service vulnerability
    Microsoft's Proxy Server 2.0 and ISA Server contain a vulnerability
    that allows an attacker from within the network to put them out of
    commission using a specially-crafted data packet.
    The packet causes the software to hit 100 percent CPU utilisation and
    stop responding to internal and external requests. While a reboot
    allows the software to function again, it is still vulnerable to the
    same attack.
    Specifically, the two pieces of software both contain a flawed version
    of the Winsock Proxy service, which enables certain client-side
    applications to function as though they had a direct Internet
    connection, while routing their traffic through an internal server.
    Microsoft released a patch for the bug on its Web site, and noted that
    while the attack could shut the servers down, it did not allow a
    hacker to gain any higher privileges or compromise any content cached
    on the server.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Apr 11 2003 - 02:06:56 PDT