Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3872
HistoryDec 14, 2002 - 12:00 a.m.

Microsoft Security Bulletin MS02-069: Flaw in Microsoft VM Could Enable System Compromise (810030)

2002-12-1400:00:00
vulners.com
23
JSON

-----BEGIN PGP SIGNED MESSAGE-----

Title: Flaw in Microsoft VM Could Enable System
Compromise (810030)
Date: 11 December 2002
Software: Microsoft VM
Impact: Eight vulnerabilities, the most serious of which
would enable an attacker to gain control over
another user's system.
Max Risk: Critical
Bulletin: MS02-069

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS02-069.asp
http://www.microsoft.com/security/security_bulletins/ms02-069.asp.

Issue:

The Microsoft VM is a virtual machine for the Win32(r) operating
environment. The Microsoft
VM shipped in most versions of Windows (a complete list is available
in the FAQ), as well as
in most versions of Internet Explorer.

A new version of the Microsoft VM is available, which includes all
previously released fixes
for the VM, as well as fixes for eight newly reported security
issues. The attack vectors
for all of the new issues would likely be the same. An attacker would
create a web page
that, when opened, exploits the desired vulnerability, and either
host it on a web page or
send it to a user as an HTML mail.

The newly reported security issues are as follows:

  • A security vulnerability through which an untrusted
    Java applet could access COM objects. By design, COM
    objects should only be available to trusted Java
    programs because of the functionality they expose. COM
    objects are available that provide functionality through
    which an attacker could take control of the system.
  • A pair of vulnerabilities that, although having
    different underlying causes, would have the same effect,
    namely, disguising the actual location of the applet's
    codebase. By design, a Java applet that resides on user
    storage or a network share has read access to the folder
    it resides in and all folders below it. The
    vulnerabilities provide methods by which an applet
    located on a web site could misrepresent the location of
    its codebase, to indicate that it resided instead on the
    user's local system or a network share.
  • A vulnerability that could enable an attacker to construct
    an URL that, when parsed, would load a Java applet from
    one web site but misrepresent it as belonging to another
    web site. The result would be that the attacker's applet
    would run in the other site's domain. Any information the
    user provided to it could be relayed back to the attacker.
  • A vulnerability that results because the Microsoft VM
    doesn't prevent applets from calling the JDBC APIs - a
    set of APIs that provide database access methods. By
    design, these APIs provide functionality to add, change,
    delete or modify database contents, subject only to the
    user's permissions.
  • A vulnerability through which an attacker could
    temporarily prevent specified Java objects from being
    loaded and run. A legacy security mechanism known as the
    Standard Security Manager provides the ability to impose
    restrictions on Java applets, up to and including
    preventing them from running altogether. However, the VM
    does not adequately regulate access to the SSM, with the
    result that an attacker's applet could add other Java
    objects to the "banned" list.
  • A vulnerability through which an attacker could learn a
    user's username on their local system. The vulnerability
    results because one particular system property, user.dir,
    should not be available to untrusted applets but, through
    a flaw, is. While knowing a username would not in itself
    pose a security risk, it could be useful for
    reconnaissance purposes.
  • A vulnerability that results because it's possible for a
    Java applet to perform an incomplete instantiation of
    another Java object. The effect of doing so would be to
    cause the containing application - Internet Explorer - to
    fail.

Mitigating Factors:

All of the vulnerabilities share a pair of common mitigating factors:

  • The web-based attack vector would be blocked if the user
    had disabled Java applets in the Internet Explorer
    security zone in which the attacker's web site rendered.
  • The email vector would be blocked if the user were running
    any of several mail clients. Specifically, Outlook
    Express 6 and Outlook 2002 (which ships as part of Office
    XP) disable Java by default, and Outlook 98 and 2000
    disable it if the Outlook Email Security Update has been
    installed.

COM Object Access Vulnerability:

  • The vulnerability represents a target of opportunity only.
    The attacker would have no means of ensuring that
    sensitive data would be located in system memory, cookies,
    the clipboard, or other locations.

CODEBASE Spoofing Vulnerabilities:

  • The attacker's access to files, including those on remote
    shares, would be limited to those of the user. If the
    user had only limited permissions, so would the attacker.

Domain Spoofing Vulnerability:

  • The vulnerability could only be exploited if the user
    visited the attacker's site en route to visiting a
    third-party site.
  • The effect of exploiting the vulnerability would apply
    only to the current web session.

JDBC API Vulnerability:

  • To exploit this vulnerability, the attacker would need
    to know the names of each data source he or she wanted
    to access. In most cases, this would require the attacker
    to have insider knowledge of the user's network.
  • The attacker would gain only the user's own permissions
    to the data sources. For instance, if the user had only
    read access to a particular database, so would the
    attacker.

Standard Security Manager Access Vulnerability:

  • The effect of exploiting this vulnerability would only
    persist during the current browser session.
  • The vulnerability provides no means of modifying an
    applet's functioning - only preventing it from running.

User.dir Exposure Vulnerability:

  • Knowing a user's username would not, by itself, enable
    an attacker to take any action against the user. The
    sole value in learning this information would be for
    reconnaissance purposes, in the hope of using it in
    some future, unspecified attack.

Incomplete Java object Instantiation Vulnerability:

  • This vulnerability would only enable the attacker to
    cause Internet Explorer to fail - it would not enable
    the attacker to cause Windows itself, or any other
    applications, to fail.
  • The user could restore normal operation by restarting
    the browser.

Risk Rating:

  • COM Object Access Vulnerability: Critical
  • CODEBASE Spoofing Vulnerabilities: Important
  • Domain Spoofing Vulnerability: Moderate
  • JDBC API Vulnerability: Moderate
  • Standard Security Manager Access Vulnerability: Low
  • User.dir Exposure Vulnerability: Low
  • Incomplete Java object Instantiation Vulnerability: Low

Patch Availability:

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS
OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF
THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPfe8II0ZSRQxA/UrAQE+wAf/WdruD788OEm/Gg3SAhJv9VLRfQ7ck+3F
Q6e6hh21UmJmGXMtlsUzNyccvK0fELA352i6L0KCc8yJs5NQPDDqVVZ2bOFr+QiU
8KMLAptr2TfAlb3zNhUGQuTxnGIfzLKoaRz3dtal3FLWV4UoyOMTh5KiX/I9O+wH
Vr1X7i9Ii+I4tR/56Ew0e+L5KoKR9W7SI/rdKogRBPoSQ0OcnVtY6+bm9SK6+49z
5YI+3N5kYCpyBtIKfP5kRQ2AdO1nB9Ezar4f2kI3zrlvp4+znPSBhLjmrODXpKfv
hRGbueA+jZ+J5lDsDgXe9qFfp3Z9crMSUQvdovhZeaBBBdhIVrBCNQ==
=xtJ0
-----END PGP SIGNATURE-----

You have received this e-mail bulletin because of your subscription to the Microsoft
Product Security Notification Service. For more information on this service, please visit
http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at
http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the
Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft
Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft
Security Advisor web site at http://www.microsoft.com/security.

JSON