Microsoft Security Bulletin (MS99-045)

[aleph1 () UNDERGROUND ORG (Aleph One)]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

Microsoft Security Bulletin (MS99-045)
--------------------------------------

Patch Available "Virtual Machine Verifier" Vulnerability
Originally Posted: October 21, 1999

Summary
=======
Microsoft has released a new version of the Microsoft(r) virtual machine
(Microsoft VM) that  eliminates a security vulnerability that could allow a
Java applet to take unauthorized actions  on the computer of a web site
visitor. Although no standard Java compiler can generate such an  applet, a
Java applet constructed by hand with a Java bytecode assembler could bypass
the sandbox  and take virtually any action on the computer that the user
would be capable of taking.

Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-045faq.asp.

Issue
=====
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop  Microsoft Windows(r) 95, 98 or Windows NT(r). It
ships as part of each operating system, and also  as part of Microsoft
Internet Explorer.

The version of the Microsoft VM that ships with Microsoft Internet Explorer
4.0 and Internet  Explorer 5.0 contains a security vulnerability in the
bytecode verifier that could allow a Java  applet to operate outside the
bounds set by the sandbox. If hosted on a web site, it could cause  any
action to be taken on the computer of a visiting user that the user himself
could take. This  could include, for example, creating, deleting or
modifying files, sending data to or receiving  data from a web site, or
reformatting the hard drive.

Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which can be
determined using the  JVIEW tool, as discussed in the FAQ. The following
builds of the Microsoft VM are affected:
 - All builds in the 2000 series
 - All builds in the 3000 series prior to but not including build 3188

NOTE: The Microsoft VM ships as part of several products. However, the
primary ship vehicle is  Internet Explorer. IE 4 ships with builds in the
2000 series; IE 5 ships with builds in the 3000  series.

Patch Availability
==================
 - http://www.microsoft.com/java/vm/dl_vm32.htm

NOTE: The above URL installs the latest version of the 3000 series. It can
be installed by  anyone, including customers currently using a 2000 series
build. A new version in the 2000 series  will be available shortly for
customers who are using a 2000 series build and do not wish to  upgrade to
the 3000 series. When this is available, we will modify the bulletin to
provide the  specific URL.

NOTE: A patch also will be available shortly at
http://windowsupdate.microsoft.com. When this  happens, we will modify the
bulletin to provide the specific URL.

More Information
================
Please see the following references for more information related to this
issue.
 - Microsoft Security Bulletin MS99-045: Frequently Asked Questions,
   http://www.microsoft.com/security/bulletins/MS99-045faq.asp.
 - Microsoft Knowledge Base (KB) article Q244283,
   Bypassing Java Sandbox Results in VM Security Vulnerability,
   http://support.microsoft.com/support/kb/articles/q244/2/83.asp.
   (Note: It may take 24 hours from the original posting of this bulletin
   for this KB article to be visible.)
 - Microsoft Security Advisor web site,
   http://www.microsoft.com/security/default.asp.

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Revisions
=========
 - October 21, 1999: Bulletin Created.

-----------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING  LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.