DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 816093 - Last Review: June 20, 2014 - Revision: 18.0

Notice
The Microsoft virtual machine (Microsoft VM) update that was previously listed in this article is no longer available. For more information, visit the following Microsoft Web pages:
http://www.microsoft.com/mscorp/java/default.mspx (http://www.microsoft.com/mscorp/java/default.mspx)
http://support.microsoft.com/gp/lifean12 (http://support.microsoft.com/gp/lifean12)

Technical Update

July 17, 2003: This article was updated to add information about Windows 2000 Service Pack 4 and Windows Server 2003.

November 10, 2003: The "Restart Requirement" section was updated.

April 23, 2004: This article was updated to remove information about Windows 2000 Service Pack 4.

Symptoms

The Microsoft VM is a virtual machine for the Win32operating environment. The Microsoft VM is shipped in most versions of Windows and in most versions of Microsoft Internet Explorer. A new security vulnerability has been reported that affects the ByteCode Verifier component of the Microsoft VM. It occurs because the ByteCode verifier does not correctly look for certain malicious code when a Java applet is being loaded. The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that would exploit this vulnerability when it was opened. An attacker could then host this malicious Web page on a Web site or could send it to a user in e-mail. The present Microsoft VM has been updated to include a fix for this newly reported security vulnerability. This version of VM includes all previously released fixes to the VM.

Workaround

There are a number of workarounds that you may be able to apply temporarily while you evaluate and test the new Microsoft VM:
  • In an enterprise environment, you can use application filters at the firewall to examine and block mobile code.
  • You can use a later Microsoft e-mail client computer, such as a computer that is running Microsoft Outlook 2002 or Outlook Express 6. By default, the e-mail attack vector is prevented in later versions of Outlook. If you are using earlier Microsoft Outlook clients such as clients that are running Outlook 98 or 2000, the e-mail vector is blocked if the Outlook Email Security Update is used.
  • You can prevent Java applets from being run in the Internet Explorer Internet zone. Note that if you disable Java applets, your ability to view certain Web pages may be affected. To disable Java applets:
    1. On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
    2. In the Settings box, click Disable Java under Java Permissions, click OK, and then click OK again.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

To determine the Microsoft VM build number on a computer that is running Windows 98, Windows 98 Second Edition, or Windows Millennium Edition, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type command, and then click OK.
  3. At the command prompt, type jview, and then press ENTER.

    The version information appears on the first line as "Version n.nn.nnnn," where the last four digits are the build number. For example, 5.00.3802 is Microsoft VM build 3802.
To determine the Microsoft VM build number on a computer running Windows NT 4.0, Windows 2000, or Windows XP, follow these steps:
  1. Click Start , and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. At the command prompt, type jview, and then press ENTER.

    Notice that the version information appears on the first line as "Version n.nn.nnnn," where the last four digits are the build number. For example, 5.00.3802 is Microsoft VM build 3802.
For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx)

References

For more information about how this patch applies to Windows 2000 Service Pack 4, click the following article number to view the article in the Microsoft Knowledge Base:
820101  (http://support.microsoft.com/kb/820101/ ) Frequently asked questions about the Microsoft VM and Windows 2000 service pack 4
For more information about the differences between Windows XP Service Pack 1 and Windows XP Service Pack 1a, click the following article number to view the article in the Microsoft Knowledge Base:
813926  (http://support.microsoft.com/kb/813926/ ) Differences between Windows XP Service Pack 1 and Windows XP Service Pack 1a

Applies to
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Media Center Edition 2005 Update Rollup 2
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Keywords: 
kbdownload kbenv kbsecvulnerability kbsecbulletin kbsecurity kbqfe kbfix kbbug KB816093
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support