Microsoft Security Bulletin (MS99-045)
--------------------------------------
Patch Available "Virtual Machine Verifier" Vulnerability
Originally Posted: October 21, 1999
Summary
=======
Microsoft has released a new version of the Microsoft(r) virtual machine
(Microsoft VM) that eliminates a security vulnerability that could allow a
Java applet to take unauthorized actions on the computer of a web site
visitor. Although no standard Java compiler can generate such an applet, a
Java applet constructed by hand with a Java bytecode assembler could bypass
the sandbox and take virtually any action on the computer that the user
would be capable of taking.
Issue
=====
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop Microsoft Windows(r) 95, 98 or Windows NT(r). It
ships as part of each operating system, and also as part of Microsoft
Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet Explorer
4.0 and Internet Explorer 5.0 contains a security vulnerability in the
bytecode verifier that could allow a Java applet to operate outside the
bounds set by the sandbox. If hosted on a web site, it could cause any
action to be taken on the computer of a visiting user that the user himself
could take. This could include, for example, creating, deleting or
modifying files, sending data to or receiving data from a web site, or
reformatting the hard drive.
Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which can be
determined using the JVIEW tool, as discussed in the FAQ. The following
builds of the Microsoft VM are affected:
- All builds in the 2000 series
- All builds in the 3000 series prior to but not including build 3188
NOTE: The Microsoft VM ships as part of several products. However, the
primary ship vehicle is Internet Explorer. IE 4 ships with builds in the
2000 series; IE 5 ships with builds in the 3000 series.
NOTE: The above URL installs the latest version of the 3000 series. It can
be installed by anyone, including customers currently using a 2000 series
build. A new version in the 2000 series will be available shortly for
customers who are using a 2000 series build and do not wish to upgrade to
the 3000 series. When this is available, we will modify the bulletin to
provide the specific URL.
NOTE: A patch also will be available shortly at
http://windowsupdate.microsoft.com. When this happens, we will modify the
bulletin to provide the specific URL.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
