The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-045)
--------------------------------------
Patch Available "Virtual Machine Verifier" Vulnerability
Originally Posted: October 21, 1999
Summary
=======
Microsoft has released a new version of the Microsoft(r) virtual machine
(Microsoft VM) that eliminates a security vulnerability that could allow a
Java applet to take unauthorized actions on the computer of a web site
visitor. Although no standard Java compiler can generate such an applet, a
Java applet constructed by hand with a Java bytecode assembler could bypass
the sandbox and take virtually any action on the computer that the user
would be capable of taking.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-045faq.asp.
Issue
=====
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop Microsoft Windows(r) 95, 98 or Windows NT(r). It
ships as part of each operating system, and also as part of Microsoft
Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet Explorer
4.0 and Internet Explorer 5.0 contains a security vulnerability in the
bytecode verifier that could allow a Java applet to operate outside the
bounds set by the sandbox. If hosted on a web site, it could cause any
action to be taken on the computer of a visiting user that the user himself
could take. This could include, for example, creating, deleting or
modifying files, sending data to or receiving data from a web site, or
reformatting the hard drive.
Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which can be
determined using the JVIEW tool, as discussed in the FAQ. The following
builds of the Microsoft VM are affected:
- All builds in the 2000 series
- All builds in the 3000 series prior to but not including build 3188
NOTE: The Microsoft VM ships as part of several products. However, the
primary ship vehicle is Internet Explorer. IE 4 ships with builds in the
2000 series; IE 5 ships with builds in the 3000 series.
Patch Availability
==================
- http://www.microsoft.com/java/vm/dl_vm32.htm
NOTE: The above URL installs the latest version of the 3000 series. It can
be installed by anyone, including customers currently using a 2000 series
build. A new version in the 2000 series will be available shortly for
customers who are using a 2000 series build and do not wish to upgrade to
the 3000 series. When this is available, we will modify the bulletin to
provide the specific URL.
NOTE: A patch also will be available shortly at
http://windowsupdate.microsoft.com. When this happens, we will modify the
bulletin to provide the specific URL.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-045: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-045faq.asp.
- Microsoft Knowledge Base (KB) article Q244283,
Bypassing Java Sandbox Results in VM Security Vulnerability,
http://support.microsoft.com/support/kb/articles/q244/2/83.asp.
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp.
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
Revisions
=========
- October 21, 1999: Bulletin Created.
-----------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:29 PDT