Microsoft Virtual Machine multiple flaws allow malicious control

Risk
High

Date Discovered
03-04-2002

Description
Two vulnerabilities exist in the Microsoft Virtual Machine (VM) implementation. The first, which affects users who access the Internet through a proxy server, may permit a malicious applet to redirect Web traffic to another destination or record unencrypted confidential information that is sent during the Internet session. The second affects Java applets and may permit an attacker to gain control of a user's computer.

The Microsoft VM runs Java code in an operating environment that, for security, is isolated from the computer on which it is run. Microsoft Virtual Machine is supplied for Windows 95, 98, ME, NT 4.0, 2000, and XP. It is also available as part of Internet Explorer 6 and earlier.

The first vulnerability was reported on March 4, 2002. Because both concern the Microsoft VM, Microsoft modified the vulnerability on March 18, 2002 after discovering the second critical flaw. The flaws affect Microsoft VM Build 3802 and earlier.

The first vulnerability, which only affects computers that utilize a proxy server, lies in how Java requests for proxy resources are handled. This flaw affects not only Microsoft VM, but others as well. (See the References for details.) When exploited, a malicious applet could redirect Web traffic to a destination of the attacker's choice. The attacker could then take control and discard the user's session to simulate a denial of service (DoS) or search for the user's session for unencrypted confidential data.

Microsoft's best practices strongly recommend using SSL to encrypt sensitive information such as user names, passwords, and credit card numbers. If done, sensitive information is protected from examination and disclosure by an attacker exploiting this vulnerability.

The second vulnerability lies in the Microsoft VM verifier and may enable an attacker to execute code in the context of the user outside of the security of the Virtual Machine. This flaw only affects Java applets, not Java applications. To exploit the vulnerability, the attacker lures the victim to a site where the malicious applet resides. Once the victim is compromised, the attacker can execute any action on the victim's computer that the victim could. These actions include creating, deleting, or modifying files, sending and receiving data to or from a Web site, or even reformatting the victim's hard drive.

Platforms Affected
Windows

Components Affected
Microsoft Virtual Machine build 3802 and previous

Microsoft Virtual Machine build 3802 and previous
Policy : Use SSL to encrypt sensitive data

A good best practice is to use SSL to encrypt sensitive information such as:
user names
passwords
credit card numbers
Other sensitive data

By using SSL, sensitive information will be protected from examination and disclosure by an attacker exploiting this as well as other data disclosure vulnerabilities.


Microsoft Virtual Machine build 3802 and previous
Upgrade : Microsoft Virtual Machine build 3805 or latter Upgrade

The updated Microsoft VM can be installed on systems that do not have a Microsoft VM already installed or that are running a previous version of the Microsoft VM.
Inclusion in future service packs:
The fix for this issue may be included in future service packs.

Reboot is needed

Superseded patches:
MS99-031
MS99-045
MS00-011
MS00-059
MS00-075
MS00-081

Verifying patch installation:

After downloading and installing the updated Microsoft VM, reboot the machine and follow these instructions for determining the build number:

1) Open a command window:
On Windows NT, Windows 2000, or Windows XP:
Choose "Start", "Run", then type "CMD" and hit the enter key.

On Windows 95, 98, or ME,
Choose "Start", "Run" then type "COMMAND" and hit the enter key.

2) At the command prompt, type "JVIEW" and hit the enter key.

3) The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.

The Microsoft VM build number should show as version 3805 or later.

Caveats:
None

Localization:
This patch will install all language versions.

References
Source: Microsoft MS02-013
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-013.asp

Source: Security Focus.com 4228
URL: http://online.securityfocus.com/bid/4228

Source: CVE CAN-2002-0058
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0058

Source: CVE CAN-2002-0076
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0076

Copyright (c) 2008 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.