Microsoft Warns of Virtual Machine Flaws

Microsoft warned users on Wednesday about two new security vulnerabilities affecting its Microsoft Virtual Machine, Microsoft Proxy Server 2.0, and Microsoft ISA Server 2000 products.

The Microsoft Virtual Machine (VM) contains a critical vulnerability that could allow a remote attacker to gain control of affected machines, according to security bulletin MS03-011.

The vulnerability, which occurs in code for a VM process called the ByteCode Verifier, could enable an attacker to use illegal sequences of byte codes to bypass security checks in the software, Microsoft said.

The ByteCode Verifier process is responsible for checking code as it is loaded into the Virtual Machine, the company said.

Attackers could launch an attack using a Java applet embedded in a Web page or HTML format e-mail message. Once compromised, a vulnerable machine could be used to run the attacker's code, though only with the permission of the active user account, Microsoft said.

Key Component

The Microsoft Virtual Machine is a key component of all supported versions of the Windows operating system, including Windows 2000 and Windows XP. The company also ships it with the Internet Explorer Web browser and other Microsoft software.

Despite being widespread, the new vulnerability is of limited utility to attackers, Microsoft said.

Recent releases of the Outlook and Outlook Express e-mail clients, as well as security patches for older versions, prevent Java applets embedded in e-mail messages from being launched. Barring an e-mail-borne attack, users would have to be tricked into visiting a Web page containing the embedded Java applet that launches the Virtual Machine attack.

Microsoft issued a patch for the virtual machine, build 3810, and recommended that customers who use earlier builds upgrade.

Another Flaw Found

Meanwhile, the Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 vulnerability could enable an individual on an internal network or on the Internet to launch a denial of service (DOS) attack against those products, thereby preventing them from responding to internal and external requests, according to information released in Microsoft security bulletin MS03-012.

The vulnerability, which Microsoft rated "important," affects the Winsock Proxy service on Proxy Server 2.0 and the Firewall service on ISA Server 2000. Both services redirect communications from Internet applications to the machines running Proxy Server 2.0 or ISA Server, creating a path to the Internet through those products, according to Microsoft.

A flaw in the way each service handles inbound requests from remote clients means that attackers could use a specially formatted request to cause the products to stop responding.

Despite the denial of service capability, however, attackers could not gain remote access to either the ISA Server 2000 or the Proxy Server 2.0 machines, Microsoft said.

Microsoft advised customers who use the affected products to download and install a patch that repairs the affected services, removing the DOS vulnerability.