DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 329077 - Last Review: June 30, 2009 - Revision: 10.0

This article was previously published under Q329077
Notice
The Microsoft virtual machine (Microsoft VM) update that was previously listed in this article is no longer available. For more information, visit the following Microsoft Web pages:
http://www.microsoft.com/mscorp/java/default.mspx (http://www.microsoft.com/mscorp/java/default.mspx)
http://support.microsoft.com/gp/lifean12 (http://support.microsoft.com/gp/lifean12)

SYMPTOMS

The Microsoft virtual machine (VM) is a virtual machine for 32-bit versions of Microsoft Windows. The Microsoft VM was included as part of most versions of Windows, and as part of most versions of Microsoft Internet Explorer. A new patch for the Microsoft VM is available. This patch corrects three security vulnerabilities. The attack vectors for all the vulnerabilities are likely to be the same. To exploit these vulnerabilities, an attacker might create a Web page, and then host the Web page on a server or send the page as an e-mail message.

The first vulnerability involves the Java Database Connectivity (JDBC) classes, which provide features that permit Java programs to connect to and use data from a wide variety of data sources. These sources range from flat files to Microsoft SQL Server databases. The vulnerability occurs because of a flaw in the way in which classes vet a request to load and run a DLL on a user's computer. Although the classes perform checks that are designed to make sure that only authorized programs can make such requests, this check can be "spoofed" by purposely incorrectly forming the request in a particular way. This might permit an attacker to load and run any DLL on a user's computer.

The second vulnerability also involves the JDBC classes, and occurs because certain functions in the classes do not correctly validate handles that are provided as input. One straightforward use of this flaw involves supplying data that is not valid instead of an actual handle when calling such a function. Microsoft has confirmed that this scenario can cause Internet Explorer to stop working. The flaw might also permit an attacker to provide data that causes code to be run in the security context of the user.

The third vulnerability involves a class that provides support for using XML by Java programs. This class exposes a number of methods. Some of these methods are suitable for use by any program, but others are suitable only for use by trusted programs. However, the class does not differentiate correctly between these cases, and instead makes all the methods available to all programs. The functions that can be misused through this vulnerability include functions that might permit a program to take virtually any action on a user's computer.

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft VM.

MORE INFORMATION

For more information, visit the following Microsoft Web sites:
http://www.microsoft.com/technet/security/bulletin/MS02-052.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-052.mspx)
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx)

APPLIES TO
  • Microsoft Java Virtual Machine, when used with:
    • the operating system: Microsoft Windows XP
    • Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 2000
    • Microsoft Windows NT 4.0
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows 98 Standard Edition
Keywords: 
kbqfe kbbug kbfix kbsecbulletin kbsecurity kbsecvulnerability KB329077
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support