News

Critical New Microsoft VM Flaw Found

A critical flaw in the controversial Microsoft VM could allow an attacker to execute code on a victim's Windows system, Microsoft warned in a bulletin Wednesday night. The problem is fixed in a new version of the Microsoft VM.

The Microsoft VM is Microsoft's Java Runtime Environment that ships with most versions of Windows and Internet Explorer. The problem arises from the failure of a low-level process called the ByteCode Verifier to check for the presence of malicious code when a Java applet is being loaded.

"The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that when opened, would exploit the vulnerability. An attacker could then host this malicious Web page on a Web site, or could send it to a user in e-mail," Microsoft's security team explained in the bulletin (MS03-011).

Microsoft created a new build, 3810, of the Microsoft VM to fix the issue. Had Sun Microsystems succeeded in recent legal filings, Microsoft would not have been able to reissue the Microsoft VM.

Sun recently asked a federal judge to prevent Microsoft from updating its Microsoft VM, even in the case of security vulnerabilities. In those cases, Sun wanted Microsoft to be forced to distribute Sun's Java Runtime Environment instead of its own. The judge agreed with Sun on many issues, although not that one. In any case, the judge's decision was stayed pending appeal.

Last September, Microsoft fixed three other flaws in its Microsoft VM, including two critical flaws that also could have allowed attackers to execute code.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.