Bug leaves Windows open to Java attack

Microsoft said that its Virtual Machine fails to catch certain malicious code in Java applets, allowing an attacker to take control of a PC

Microsoft has warned of three new flaws affecting its software, the most serious of which would allow an attacker to gain full control of a user's PC using a Java applet. The three warnings, all issued on Wednesday, involve the Microsoft Virtual Machine for running Java applets on Windows; a cross-site scripting bug in a component of Windows 2000 and Windows NT 4.0; and a denial-of-service bug affecting Proxy Server 2.0 and ISA Server. With the three alerts, Microsoft has issued 12 new warnings so far this year. Late last month the company issued patches for Windows and IIS. The Virtual Machine (VM) flaw is the most serious, meriting a "critical" rating from Microsoft. The VM ships with most versions of Windows and some versions of Internet Explorer, and is used to run programs called "applets" written in Sun Microsystems' Java language. A VM component called the ByteCode Verifier does not correctly check for the presence of certain malicious code when the applet is being loaded, meaning that an attacker could slip malicious code onto a user's PC. This malicious applet, which could be delivered via a Web page or an email, could allow the attacker to run code of his choice on the PC, doing anything from erasing the hard drive to implanting a "back door" leaving the machine vulnerable to future attacks. Microsoft said that Windows installations containing the VM include Windows 95, Windows 98 and 98SE, Windows ME, Windows NT 4.0, beginning with Service Pack 1, Windows 2000 and Windows XP. VM builds 5.0.3802 up to and including build 5.0.3809 were tested and found to be affected, although earlier builds are probably also vulnerable, the company said. The latest builds, 3810 and later, should be downloaded and installed in order to eliminate the vulnerability. Instructions for downloading and installing the software can be found on Microsoft's Web site. Microsoft noted that for the exploit to work, the attacker would have to entice the user to view a malicious Web site or open a malicious email. Email clients that place restrictions on HTML content in messages, such as some newer versions of Outlook, would prevent the attack from succeeding. Cross-site scripting bug
The Cross-site scripting (CSS) bug affects Microsoft Indexing Services for Windows 2000 and Windows NT 4.0. Cross-site scripting attacks were first publicised in February of 2000, and can affect a variety of different server-side software, enabling an attacker to insert malicious code into a user's browsing session via a trusted Web site. Microsoft said that a component of Indexing Services called CiWebHitsFile is vulnerable to a CSS attack, and released a patch to fix it. Indexing Services is a search service integrated into Internet Information Server and Windows 2000. Denial of service vulnerability
Microsoft's Proxy Server 2.0 and ISA Server contain a vulnerability that allows an attacker from within the network to put them out of commission using a specially-crafted data packet. The packet causes the software to hit 100 percent CPU utilisation and stop responding to internal and external requests. While a reboot allows the software to function again, it is still vulnerable to the same attack. Specifically, the two pieces of software both contain a flawed version of the Winsock Proxy service, which enables certain client-side applications to function as though they had a direct Internet connection, while routing their traffic through an internal server. Microsoft released a patch for the bug on its Web site, and noted that while the attack could shut the servers down, it did not allow a hacker to gain any higher privileges or compromise any content cached on the server.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Let the editors know what you think in the Mailroom.