Results 1 to 4 of 4

Thread: MS Virtual Machine Flaw

  1. #1
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001

    MS Virtual Machine Flaw

    Guys, I just recieved notification of yet another flaw in a Microsoft product via an email from WatchGuard's LiveSecurity Service. This one is concerning the Microsoft Virtual Machine, Microsoft's software to run Java code. I figure this will be of help to some.

    If you are using Microsoft VM, looks like it's time to patch again...

    Today, Microsoft released a Security Bulletin describing a critical
    flaw in Microsoft Virtual Machine (VM), which comes with most
    versions of Windows and Internet Explorer. By enticing your users to
    a malicious Web page or sending them an HTML e-mail, a hacker could
    exploit this flaw to take control of your users' machines. There is
    no direct impact on WatchGuard products. Administrators whose
    clients use Windows and Internet Explorer should download and
    install the Microsoft Virtual Machine patch as soon as possible.

    The Microsoft Virtual Machine (VM)
    is a software engine used by Windows to process and run Java
    code. When your Windows users visit Web sites with special Java
    et>, such as Java games, Internet Explorer (IE) uses VM to execute
    the Java code. Most versions of Windows and IE come with VM so your
    Windows users probably have it installed on their systems.

    In their security bulletin
    Microsoft describes a critical vulnerability that resides in a
    process in VM called the ByteCode Verifier. VM uses the ByteCode
    Verifier to check the validity of all Java code it loads.
    Unfortunately, the ByteCode Verifier does not properly check for a
    particular invalid sequence of byte code. By crafting a malicious
    Java applet that takes advantage of this illegal sequence, a hacker
    can execute code on your users' systems with their privileges. If
    your users have local administrative privileges, the hacker could
    exploit this flaw to gain total control of your users' machines.
    However, the hacker would first need to entice your users to a
    malicious Web page or send them an HTML e-mail in order to deliver
    their malicious Java applet.

    Microsoft has provided a patch to fix these vulnerabilities. There
    are two different ways you can acquire and deploy the Java VM patch:
    individually, or centrally.

    * You could direct your users to independently visit the
    Windows Update Web page
    <http://www.microsoft.com/windowsupdate>. The Windows Update
    page automatically checks your user's machine and decides what
    Microsoft patches and downloads to offer. If your user's machine
    is vulnerable to the Java VM flaws, Windows Update will provide
    the VM patch in a list of "Critical Updates." There are a few
    risks to acquiring the VM patch through Windows Update. First,
    during the update, your users will have the option of
    downloading and installing many other patches that you might not
    have tested or approved. An untested patch could crash a system
    in your environment. Second, having your users install whatever
    they want prevents you from implementing version control within
    your enterprise. Finally, this method is inefficient for all but
    the smallest organizations, because having 300 users with
    Windows 2000 download the same patch 300 separate times wastes
    hours and bandwidth.
    * Network administrators who want to first test the patch and
    then deploy it throughout their network, rather than having
    their clients use Windows Update, should follow the directions
    in Microsoft's advisory.
    The directions begin near the end of the "Frequently Asked
    Questions" section in a paragraph beginning with, "I'm a network
    administrator." (We've verified these directions work to
    download the patch on Windows 2000, XP, 98 and ME machines, but
    the directions do not seem accurate when using the Windows
    Update page with Windows NT 4.0. As far as we are able to
    determine, the solution above is the only way NT users can
    obtain the fix.)

  2. #2
    Old Fart
    Join Date
    Jun 2002
    if the sun rises in the east, it's time to patch again with M$.....wonder how many more patches it will take to make a quilt?
    It isn't paranoia when you KNOW they're out to get you...

  3. #3
    Join Date
    Oct 2002
    Wow, this lil bugger weighs in at over 2.5 megs... I'm used to seeing openbsd patches @ usually under 50k, heh
    Have you filled out an ID-10-T or PEBKAK form lately?

  4. #4
    Join Date
    Feb 2003
    If I had a dime for every time I had to patch something on the computer I would have $294.30. That is more than enough money to buy a proffesional version of Linux 4 times!!! and still have money left over for a bible.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts