RealTime IT News

Microsoft Warns of 'Critical' VM Vulnerability

Microsoft has tagged its highest alert rating on one of eight new security flaws found in Virtual Machine , the most serious of which could allow attackers to take complete control over a compromised system.

The 69th advisory this year from the Redmond-based software giant carries a "critical" rating for one of the flaws detected, and urged that a patch be applied to cover all builds of Microsoft VM up to and including build 5.0.3805.

Microsoft said the attack vectors for all eight would likely be the same. "An attacker would create a web page that, when opened, exploits the desired vulnerability, and either host it on a web page or send it to a user as an HTML mail.

It said the most serious vulnerability allows an untrusted Java applet to access COM objects. "By design, COM objects should only be available to trusted Java programs because of the functionality they expose. COM objects are available that provide functionality through which an attacker could take control of the system," the company warned.

The bulletin also contained details of a pair of flaws that disguise the actual location of the applet's codebase. "The vulnerabilities provide methods by which an applet located on a web site could misrepresent the location of its codebase, to indicate that it resided instead on the user's local system or a network share," it said.

Microsoft VM is also compromised by a vulnerability that could enable an attacker to construct an URL that, when parsed, would load a Java applet from one web site but misrepresent it as belonging to another web site. This creates a hole for the attacker's applet to run in the other site's domain, allowing undetected theft of any information the user provides.

The company said another bug exists because the Microsoft VM doesn't prevent applets from calling the JDBC APIs -- a set of APIs that provide database access methods. By design, these APIs provide functionality to add, change, delete or modify database contents, subject only to the user's permissions.

The disclosure comes just a week after a federal judge gave strong hints he may favor Sun Microsystems in its legal bid to get an injunction to force Microsoft to include Sun's Java programming language in its software products.

Sun has accused Microsoft of advancing its own .NET program and in the process diminishing the value of Sun's Java products.

Separately, Microsoft issued two more security bulletins late Wednesday night for "moderate" and "important" flaws found in the Server Message Block (SMB) protocol and Windows WM_TIMER Message Handling.

The company's 70th security alert for 2002 warned system admins running Windows XP or Windows 2000 to install a patch to fix holes in the SMB protocol, which is used primarily to disseminate group policy information from domain controllers to newly logged on systems. "A flaw in the implementation of SMB Signing could enable an attacker to silently downgrade the SMB Signing settings on an affected system," the company warned.

"Although this vulnerability could be exploited to expose any SMB session to tampering, the most serious case would involve changing group policy information as it was being disseminated from a Windows 2000 domain controller to a newly logged-on network client. By doing this, the attacker could take actions such as adding users to the local Administrators group or installing and running code of his or her choice on the system," Microsoft said. A fix for the SMB vulnerability is already included in Windows XP Service Pack 1.

Separately, Microsoft warned customers running Windows NT 4.0, Windows 2000, and Windows XP of a flaw in WM_TIMER Message Handling that could enable privilege elevation.

In addition to plugging this hole, Microsoft said the WM-TIMER patch makes changes to several processes that run on the interactive desktop with high privileges. "An attacker who had the ability to log onto a system interactively could potentially run a program that would levy a WM_TIMER request upon such a process, causing it to take any action the attacker specified. This would give the attacker complete control over the system."