Microsoft VM Critical vulnerability

Attack ID:	CPAI-2003-12

Publish Date:

Category:	Windows VM remote exploit

Vulnerable Systems:	Microsoft Windows 95 Microsoft Windows 98 and 98SE Microsoft Windows Millennium Microsoft Windows NT 4.0, beginning with Service Pack 1 Microsoft Windows 2000 Microsoft Windows XP The Microsoft VM also shipped as part of several versions of Internet Explorer and other products. See the Additional Information section.

Source:	Microsoft Security Bulletin MS03-011 CVE: CAN-2003-0111

Description:	There is a flaw in the way that a VM process, the ByteCode Verifier conducts its checks when it is loading code. It does not check correctly for a particular illegal sequence of byte codes, therefore a malicious applet could be used to take advantage of this missing check and bypass subsequent security checks.

Severity:
	An attacker could seek to exploit this vulnerability by creating a malicious Java applet and inserting it into a web page that can be either accessed via a web browser or set to a user in email.

Details:	The Microsoft VM is a virtual machine for the Windows operating environment. (Win32) The Microsoft VM is shipped in most versions of Windows, as well as in most versions of Internet Explorer. This new security vulnerability affects the ByteCode Verifier component of the Microsoft VM, and results because the ByteCode verifier does not correctly check for the presence of certain malicious code when a Java applet is being loaded. The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a web page that when opened, would exploit the vulnerability.

Attack Detection:	Using the SmartView Tracker identify either SMTP logs with "reason: mail has been stripped" or HTTP logs with "reason: Content Security - access denied" in the information field in addition to other connection parameters.

Solution:	Until all Microsoft based clients and servers are updated with the latest recommended patches, security administrators should use both the SMTP and HTTP Security Servers in order to strip Java applets that can be accessed by users either by a browser or send via email by a malicious user. In addition, as described at previous advisories (CPAI-2003-06 and CPAI-2003-10), it is good security practice to use the SMTP Security Server in order to block dangerous attacks against mail servers. Stripping Java using SMTP Security Server: Define SMTP resource that blocks MIME types of message/partial and Java applets. The rule looks like the following: SRC=ANY, DST=Incoming SMTP server, Service=Resourced SMTP, Action=accept and log The SMTP resource looks like the following: SMTP Resource->Action2 tab Strip MIME of type: message/partial Strip file by name: (enter file extensions here, based on your security policy) Weeding: Strip all Script Tags, links and port strings Stripping Java using HTTP Security Server: Define HTTP (URI) resource that blocks Java applets. The rule looks like the following: SRC=Surfers_LAN, DST=ANY, Service=Resourced HTTP (URI), Action=accept and log URI resource -> Action tab Strip Applet Tags The complete resource definition is based on the network topology and security policy.

Industry Reference:

Additional Information:	The Microsoft VM also shipped as part of several versions of Internet Explorer and other products. If you're in doubt about whether you have it installed, do the following: Select Start, then Run. Open a command box, as follows: If you are running Windows 98 or Windows Millennium, type "command" (without the quotes), then hit the enter key. If you are running Windows NT 4.0, Windows 2000, or Windows XP, type "cmd" (without the quotes), then hit the enter key. In the resulting command box, type "Jview" (without the quotes). If a program runs, you have the Microsoft VM installed. If you receive an error saying that no program by that name exists, you don't.