Microsoft Warns of ‘Critical’ VM Vulnerability

Microsoft has tagged its highest alert rating on one of eight
new security flaws found in Virtual Machine , the
most serious of which could allow attackers to take complete control over a
compromised system.

The 69th advisory this year from the
Redmond-based software giant carries a “critical” rating for one of the flaws detected, and urged that a patch be
applied to cover all builds of Microsoft VM up to and including build

Microsoft said the attack vectors for all eight would likely be the
same. “An attacker would create a web page that, when opened, exploits the
desired vulnerability, and either host it on a web page or send it to a user
as an HTML mail.

It said the most serious vulnerability allows an untrusted Java applet to
access COM objects. “By design, COM objects should only be available to
trusted Java programs because of the functionality they expose. COM objects
are available that provide functionality through which an attacker could
take control of the system,” the company warned.

The bulletin also contained details of a pair of flaws that disguise the
actual location of the applet’s codebase. “The vulnerabilities provide
methods by which an applet located on a web site could misrepresent the
location of its codebase, to indicate that it resided instead on the user’s
local system or a network share,” it said.

Microsoft VM is also compromised by a vulnerability that could enable an
attacker to construct an URL that, when parsed, would load a Java applet
from one web site but misrepresent it as belonging to another web site. This
creates a hole for the attacker’s applet to run in the other site’s domain,
allowing undetected theft of any information the user provides.

The company said another bug exists because the Microsoft VM doesn’t
prevent applets from calling the JDBC APIs — a set of APIs that provide
database access methods. By design, these APIs provide functionality to add,
change, delete or modify database contents, subject only to the user’s

The disclosure comes just a week after a federal judge gave strong hints he may favor Sun Microsystems in its legal bid to get an injunction to force Microsoft to include Sun’s Java programming language in its software products.

Sun has accused Microsoft of advancing its own .NET program and in the process diminishing the value of Sun’s Java products.

Separately, Microsoft issued two more security bulletins late Wednesday night
for “moderate” and “important” flaws found in the Server Message Block (SMB)
protocol and Windows WM_TIMER Message Handling.

The company’s 70th security alert for 2002 warned system
admins running
Windows XP or Windows 2000 to install a patch to fix holes in the SMB
protocol, which is used primarily to
disseminate group policy information from domain controllers to newly logged
on systems. “A flaw in the implementation of SMB Signing could enable an
attacker to silently downgrade the SMB Signing settings on an affected
system,” the company warned.

“Although this vulnerability could be exploited to expose any SMB session
to tampering, the most serious case would involve changing group policy
information as it was being disseminated from a Windows 2000 domain
controller to a newly logged-on network client. By doing this, the attacker
could take actions such as adding users to the local Administrators group or
installing and running code of his or her choice on the system,” Microsoft
said. A fix for the SMB vulnerability is already included in Windows XP
Service Pack 1.

Separately, Microsoft warned customers running Windows NT 4.0,
Windows 2000, and Windows XP of a flaw in WM_TIMER Message Handling that
could enable privilege elevation.

In addition to plugging this hole, Microsoft said the WM-TIMER patch
makes changes to several processes that run on the interactive desktop with
high privileges. “An attacker who had the ability to log onto a system
interactively could potentially run a program that would levy a WM_TIMER
request upon such a process, causing it to take any action the attacker
specified. This would give the attacker complete control over the system.”

News Around the Web