The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-045) -------------------------------------- Patch Available "Virtual Machine Verifier" Vulnerability Originally Posted: October 21, 1999 Summary ======= Microsoft has released a new version of the Microsoft(r) virtual machine (Microsoft VM) that eliminates a security vulnerability that could allow a Java applet to take unauthorized actions on the computer of a web site visitor. Although no standard Java compiler can generate such an applet, a Java applet constructed by hand with a Java bytecode assembler could bypass the sandbox and take virtually any action on the computer that the user would be capable of taking. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-045faq.asp. Issue ===== The Microsoft VM is a virtual machine for the Win32(r) operating environment. It runs atop Microsoft Windows(r) 95, 98 or Windows NT(r). It ships as part of each operating system, and also as part of Microsoft Internet Explorer. The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability in the bytecode verifier that could allow a Java applet to operate outside the bounds set by the sandbox. If hosted on a web site, it could cause any action to be taken on the computer of a visiting user that the user himself could take. This could include, for example, creating, deleting or modifying files, sending data to or receiving data from a web site, or reformatting the hard drive. Affected Software Versions ========================== Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool, as discussed in the FAQ. The following builds of the Microsoft VM are affected: - All builds in the 2000 series - All builds in the 3000 series prior to but not including build 3188 NOTE: The Microsoft VM ships as part of several products. However, the primary ship vehicle is Internet Explorer. IE 4 ships with builds in the 2000 series; IE 5 ships with builds in the 3000 series. Patch Availability ================== - http://www.microsoft.com/java/vm/dl_vm32.htm NOTE: The above URL installs the latest version of the 3000 series. It can be installed by anyone, including customers currently using a 2000 series build. A new version in the 2000 series will be available shortly for customers who are using a 2000 series build and do not wish to upgrade to the 3000 series. When this is available, we will modify the bulletin to provide the specific URL. NOTE: A patch also will be available shortly at http://windowsupdate.microsoft.com. When this happens, we will modify the bulletin to provide the specific URL. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-045: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-045faq.asp. - Microsoft Knowledge Base (KB) article Q244283, Bypassing Java Sandbox Results in VM Security Vulnerability, http://support.microsoft.com/support/kb/articles/q244/2/83.asp. (Note: It may take 24 hours from the original posting of this bulletin for this KB article to be visible.) - Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp. Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Revisions ========= - October 21, 1999: Bulletin Created. ----------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/services/bulletin.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:29 PDT