April 9th, 2003, 10:19 PM
MS Virtual Machine Flaw
Guys, I just recieved notification of yet another flaw in a Microsoft product via an email from WatchGuard's LiveSecurity Service. This one is concerning the Microsoft Virtual Machine, Microsoft's software to run Java code. I figure this will be of help to some.
If you are using Microsoft VM, looks like it's time to patch again...
Today, Microsoft released a Security Bulletin describing a critical
flaw in Microsoft Virtual Machine (VM), which comes with most
versions of Windows and Internet Explorer. By enticing your users to
a malicious Web page or sending them an HTML e-mail, a hacker could
exploit this flaw to take control of your users' machines. There is
no direct impact on WatchGuard products. Administrators whose
clients use Windows and Internet Explorer should download and
install the Microsoft Virtual Machine patch as soon as possible.
The Microsoft Virtual Machine (VM)
is a software engine used by Windows to process and run Java
code. When your Windows users visit Web sites with special Java
et>, such as Java games, Internet Explorer (IE) uses VM to execute
the Java code. Most versions of Windows and IE come with VM so your
Windows users probably have it installed on their systems.
In their security bulletin
Microsoft describes a critical vulnerability that resides in a
process in VM called the ByteCode Verifier. VM uses the ByteCode
Verifier to check the validity of all Java code it loads.
Unfortunately, the ByteCode Verifier does not properly check for a
particular invalid sequence of byte code. By crafting a malicious
Java applet that takes advantage of this illegal sequence, a hacker
can execute code on your users' systems with their privileges. If
your users have local administrative privileges, the hacker could
exploit this flaw to gain total control of your users' machines.
However, the hacker would first need to entice your users to a
malicious Web page or send them an HTML e-mail in order to deliver
their malicious Java applet.
Microsoft has provided a patch to fix these vulnerabilities. There
are two different ways you can acquire and deploy the Java VM patch:
individually, or centrally.
* You could direct your users to independently visit the
Windows Update Web page
<http://www.microsoft.com/windowsupdate>. The Windows Update
page automatically checks your user's machine and decides what
Microsoft patches and downloads to offer. If your user's machine
is vulnerable to the Java VM flaws, Windows Update will provide
the VM patch in a list of "Critical Updates." There are a few
risks to acquiring the VM patch through Windows Update. First,
during the update, your users will have the option of
downloading and installing many other patches that you might not
have tested or approved. An untested patch could crash a system
in your environment. Second, having your users install whatever
they want prevents you from implementing version control within
your enterprise. Finally, this method is inefficient for all but
the smallest organizations, because having 300 users with
Windows 2000 download the same patch 300 separate times wastes
hours and bandwidth.
* Network administrators who want to first test the patch and
then deploy it throughout their network, rather than having
their clients use Windows Update, should follow the directions
in Microsoft's advisory.
The directions begin near the end of the "Frequently Asked
Questions" section in a paragraph beginning with, "I'm a network
administrator." (We've verified these directions work to
download the patch on Windows 2000, XP, 98 and ME machines, but
the directions do not seem accurate when using the Windows
Update page with Windows NT 4.0. As far as we are able to
determine, the solution above is the only way NT users can
obtain the fix.)
April 9th, 2003, 10:30 PM
if the sun rises in the east, it's time to patch again with M$.....wonder how many more patches it will take to make a quilt?
It isn't paranoia when you KNOW they're out to get you...
April 9th, 2003, 11:09 PM
Wow, this lil bugger weighs in at over 2.5 megs... I'm used to seeing openbsd patches @ usually under 50k, heh
Have you filled out an ID-10-T or PEBKAK form lately?
April 9th, 2003, 11:36 PM
If I had a dime for every time I had to patch something on the computer I would have $294.30. That is more than enough money to buy a proffesional version of Linux 4 times!!! and still have money left over for a bible.