Critical New Microsoft VM Flaw Found
- By Scott Bekker
- April 09, 2003
A critical flaw in the controversial Microsoft VM could allow an attacker to execute code on a victim's Windows system, Microsoft warned in a bulletin Wednesday night. The problem is fixed in a new version of the Microsoft VM.
The Microsoft VM is Microsoft's Java Runtime Environment that ships with most versions of Windows and Internet Explorer. The problem arises from the failure of a low-level process called the ByteCode Verifier to check for the presence of malicious code when a Java applet is being loaded.
"The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that when opened, would exploit the vulnerability. An attacker could then host this malicious Web page on a Web site, or could send it to a user in e-mail," Microsoft's security team explained in the bulletin (MS03-011).
Microsoft created a new build, 3810, of the Microsoft VM to fix the issue. Had Sun Microsystems succeeded in recent legal filings, Microsoft would not have been able to reissue the Microsoft VM.
Sun recently asked a federal judge to prevent Microsoft from updating its Microsoft VM, even in the case of security vulnerabilities. In those cases, Sun wanted Microsoft to be forced to distribute Sun's Java Runtime Environment instead of its own. The judge agreed with Sun on many issues, although not that one. In any case, the judge's decision was stayed pending appeal.
Last September, Microsoft fixed three other flaws in its Microsoft VM, including two critical flaws that also could have allowed attackers to execute code.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.