Reported December 11, 2002, by
Microsoft.
VERSIONS AFFECTED
·
Microsoft Virtual Machine (VM)
·
Microsoft Windows (all versions)
DESCRIPTION
Eight new vulnerabilities have been
discovered in Microsoft Virtual Machine (VM). The most serious of these
vulnerabilities can give an attacker complete control over the vulnerable
system. The eight vulnerabilities are as follows:
·
A security vulnerability through which an untrusted Java
applet can access COM objects. By design, COM objects should be available only
to trusted Java programs because of the functionality they expose. An attacker
can use functionality provided by these COM objects to take control of the
system.
·
Two vulnerabilities that have different underlying causes
but the same effect: disguising the location of the Java applet’s codebase. By
design, a Java applet that resides in user storage or on a network share has
read access to the folder in which it resides and all folders below it. The two
vulnerabilities provide methods by which an applet located on a Web site can
misrepresent the location of its codebase so that it appears to reside on the
user’s local system or a network share.
·
A vulnerability that could permit an attacker to construct
a URL that when parsed, loads a Java applet from one Web site but misrepresents
the applet as belonging to another Web site. The result is that the attacker’s
applet runs in the other site’s domain. Any information the user provides can
then be relayed to the attacker.
·
A vulnerability that occurs because VM doesn’t prevent
applets from calling the Java Database Connectivity (JDBC) APIs--a set of APIs
that provide database-access methods. By design, these APIs let you add, change,
delete, or modify database contents, subject only to the user’s permissions.
·
A vulnerability through which an attacker can temporarily
prevent specified Java objects from loading and running. A legacy security
mechanism called the Standard Security Manager (SSM) provides the ability to
impose restrictions on Java applets, including preventing them from running.
However, VM doesn't adequately regulate access to the SSM; therefore, an
attacker’s applet can add other Java objects to the “banned” list.
·
A vulnerability through which an attacker can learn a
user’s username on the local system. The vulnerability occurs because the
system property user.dir is because of a flaw, mistakenly available to untrusted
applets. Although knowledge of a username doesn't in itself pose a security
risk, it can be useful for reconnaissance purposes.
·
A vulnerability that occurs because a Java applet can
perform an incomplete instantiation of another Java object. The effect of doing
so can cause the containing application--Microsoft Internet Explorer (IE)--to
fail.
VENDOR RESPONSE
Microsoft has
released Security Bulletin MS02-069,
"Flaw in Microsoft VM Could Enable System
Compromise (810030)," to address these vulnerabilities and
recommends that affected users immediately apply the appropriate patch available
through Windows Update.
CREDIT
Discovered
by GreyMagic Software and Thor
Larholm.
Multiple Vulnerabilities in Microsoft Virtual Machine
0 comments
Hide comments