Critical Updates for Microsoft VM

Are you keeping up with all the patches Microsoft has issued? Microsoft has issued 71 security bulletins so far this year. One bulletin in particular, MS02-069 (Flaw in Microsoft VM Could Enable System Compromise) issued December 11, addresses several problems with the Microsoft Virtual Machine (VM) used for Java code. Versions of the VM software through version 5.0.3805 are vulnerable. According to Microsoft, "The most serious of these issues could enable a Web site to compromise your system and take actions such as changing data, loading and running programs, and reformatting the hard disk." The patch is a critical update, and everyone should install it.

In the past, Microsoft has indicated that it will remove Java support from Windows. In June, Microsoft announced that because of a legal settlement with Sun Microsystems, after January 1, 2004, the company can no longer make modifications to Sun's Java code, including security fixes. Because of the settlement, Microsoft said, the company wouldn't include Java with Windows after that date. The decision stems from a legal argument between the two companies (to read more about that story, see the WinInfo Web site; also, read the latest updates about the legal proceedings between Sun and Microsoft).

Even if Microsoft removes Java support from Windows, you might still use the Microsoft VM in the future, so consider loading the latest patch anyway, just in case. The patch will replace the "jview" program on your system with the latest version. While you're updating the Microsoft VM on your systems, consider upgrading other Java runtime components. You can do that by downloading \[\] the latest Java runtime environment (the Java 2 Platform) directly from Sun's Java Web site. Sun's runtime environment works with Windows XP, Windows 2000, Windows NT, Windows Me, Windows 9x, Sun Solaris, Linux, and Macintosh platforms.

Speaking of patches, have you visited PivX Solutions' list of unpatched security holes in Microsoft products lately? Last updated December 9, 2002, the page lists 19 unpatched security vulnerabilities. Two items listed pertain to Java, and I can't tell whether this latest patch from Microsoft fixes those items. However, even if the patch does fix the Java vulnerabilities, take note of the 17 other unpatched holes that you should be aware of.

The problems range from the simple to the complex, including circumventing Microsoft Internet Explorer's (IE's) security zones, reading local files on a user's computer, and executing arbitrary code. The oldest problem listed on the Web page was reported almost a year ago, December 22, 2001, and relates to man-in-the-middle attacks against Secure Sockets Layer (SSL) traffic. The newest problem, posted December 3, 2002, pertains to cookie theft and monitoring users' Web activity. Be sure to read the Web page—and guard your systems against those holes until Microsoft develops a patch.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.