__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft VM JDBC Classes Vulnerabilities [Microsoft Security Bulletin MS02-052] September 19, 2002 19:00 GMT Number M-126 ______________________________________________________________________________ PROBLEM: Three vulnerabilities have been identified in Microsoft's virtual machine for the Win32 operating environment. 1) a flaw in the way the classes vet a request to load and execute a DLL on the user’s system 2) certain functions in the classes don’t correctly validate handles that are provided as input 3) a class that provides support for the use of XML by Java applications, the class does not differentiate correctly between trusted and untrusted applets PLATFORM: All builds of the Microsoft VM up to and including build 5.0.3805. DAMAGE: The most serious of which could enable an attacker to gain complete control over a user’s system. SOLUTION: Apply available patch ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker would likely create a web page ASSESSMENT: that, when opened, exploits the desired vulnerability, and either host it on a web page or send it to a user as an HTML mail. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-126.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/?url= /technet/security/bulletin/MS02-052.asp PATCHES: http://Windowsupdate.microsoft.com ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-052 *****] Microsoft Security Bulletin MS02-052 Flaw in Microsoft VM JDBC Classes Could Allow Code Execution (Q329077) Originally posted: September 18, 2002 Summary Who should read this bulletin: All customers using Microsoft® Windows®. Impact of vulnerability: Three vulnerabilities, the most serious of which could enable an attacker to gain complete control over a user’s system. Maximum Severity Rating: Critical Recommendation: Customers should apply the patch immediately. Affected Software: Versions of the Microsoft virtual machine (Microsoft VM) are identified by build numbers, which can be determined using the JVIEW tool as discussed in the FAQ. All builds of the Microsoft VM up to and including build 5.0.3805 are affected by these vulnerabilities. Technical details Technical description: The Microsoft VM is a virtual machine for the Win32® operating environment. The Microsoft VM shipped in most versions of Windows (a complete list is available in the FAQ), as well as in most versions of Internet Explorer. It also was available for some time as a separate download. A new patch for the Microsoft VM is available, which eliminates three security vulnerabilities. The attack vectors for all of them would likely be the same. An attacker would likely create a web page that, when opened, exploits the desired vulnerability, and either host it on a web page or send it to a user as an HTML mail. The first vulnerability involves the Java Database Connectivity (JDBC) classes, which provide features that allow Java applications to connect to and use data from a wide variety of data sources, ranging from flat files to SQL Server databases. The vulnerability results because of a flaw in the way the classes vet a request to load and execute a DLL on the user’s system. Although the classes do perform checks that are designed to ensure that only authorized applets can levy such a request, it’s possible to spoof this check by malforming the request in a particular way, thereby enabling an attacker to load and execute any DLL on the user’s system. The second vulnerability also involves the JDBC classes, and occurs because certain functions in the classes don’t correctly validate handles that are provided as input. One straightforward use of this flaw would involve supplying invalid data in lieu of an actual handle when calling such a function. Microsoft has confirmed that this scenario would cause Internet Explorer to fail. In addition, there is at least a theoretical possibility that the flaw also could enable an attacker to provide data that would have the effect of running code in the security context of the user. The third vulnerability involves a class that provides support for the use of XML by Java applications. This class exposes a number of methods; some of these are suitable for use by any applet, while others are only suitable for use by trusted ones. However, the class does not differentiate correctly between these cases, and instead makes all of the methods available to all applets. Among the functions that could be misused through this vulnerability are ones that would enable an applet to take virtually any desired action on the user’s system. Mitigating factors: In order to exploit any of these vulnerabilities via the web-based attack vector, the attacker would need to entice a user into visiting a web site that the attacker controlled. The vulnerabilities themselves provide no way to force a user to a web site. Java applets are disabled within the Restricted Sites Zone. As a result, any mail client that opened HTML mail within the Restricted Sites Zone, such as Outlook 2002, Outlook Express 6, or Outlook 98 or 2000 when used in conjunction with the Outlook Email Security Update, would not be at risk from the mail-based attack vector. The vulnerability would gain only the privileges of the user, so customers who operate with less than administrative privileges would be at less risk from the vulnerability. Corporate IT administrators could limit the risk posed to their users by using application filters at the firewall to inspect and block mobile code. Severity Rating: Internet Servers Intranet Servers Client Systems DLL execution via JDBC classes Moderate Moderate Critical Handle validation flaw Low Low Low Inappropriate methods exposed Moderate Moderate Critical in XML support classes The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: DLL execution via JDBC classes: CVE-CAN-2002-0866 Handle validation flaw: CVE-CAN-2002-0867 Inappropriate methods exposed in XML support classes: CVE-CAN-2002-0865 Tested Versions: Microsoft tested VM builds 5.0.3167 and later to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download location for this patch: http://Windowsupdate.microsoft.com Additional information about this patch Installation platforms: This patch to the Microsoft VM can be installed on systems that are already running the 5.0.3805 version of the Microsoft VM. Inclusion in future service packs: The fix for this issue will be included in all future Microsoft VM builds. Reboot needed: Yes Patch can be uninstalled: No Superseded patches: None. Verifying patch installation: The Knowledge Base article Q329077 provides information to verify that you've installed the patch. Note: Regardless of the version number viewed from Jview, the registry key described in the above article should be the determining factor for proper installation of this patch. Caveats: None Localization: This patch will install all language versions. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site Other information: Support: Microsoft Knowledge Base article Q329077 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (September 18, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-052 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-116: Microsoft Cumulative Patch for Internet Explorer M-117: Microsoft Office Web Components Vulnerabilities M-118: HP Tru64 Unix Multiple Vulnerabilities M-119: Cisco VPN 3000 Concentrator Multiple Vulnerabilities M-120: Microsoft Visual FoxPro 6.0 Vulnerability M-121: Microsoft Certificate Validation Vulnerability M-122: Remotely Exploitable Buffer Overflow in PGP M-123: Polycom Videoconferencing Remote Vulnerabilities M-124: Konqueror Secure Cookie Vulnerability M-125: Apache/mod_ssl Worm