Microsoft KB Archive/816093

= MS03-011: Flaw in the Microsoft VM could enable system compromise =

Article ID: 816093

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows Millennium Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows 98 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



Technical Update
July 17, 2003: This article was updated to add information about Windows 2000 Service Pack 4 and Windows Server 2003.

November 10, 2003: The &quot;Restart Requirement&quot; section was updated.

April 23, 2004: This article was updated to remove information about Windows 2000 Service Pack 4.



SYMPTOMS
The Microsoft VM is a virtual machine for the Win32operating environment. The Microsoft VM is shipped in most versions of Windows and in most versions of Microsoft Internet Explorer. A new security vulnerability has been reported that affects the ByteCode Verifier component of the Microsoft VM. It occurs because the ByteCode verifier does not correctly look for certain malicious code when a Java applet is being loaded. The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that would exploit this vulnerability when it was opened. An attacker could then host this malicious Web page on a Web site or could send it to a user in e-mail. The present Microsoft VM has been updated to include a fix for this newly reported security vulnerability. This version of VM includes all previously released fixes to the VM.



RESOLUTION
To resolve this problem, install the 816093 Microsoft VM Security Update package. This update upgrades the Microsoft VM to version 5.00.3810. All versions of the Microsoft VM earlier than 5.00.3810 are affected by the vulnerabilities that are listed in the &quot;Symptoms&quot; section of this article.

Windows Server 2003, Windows XP, Windows NT, Windows 98, Windows ME, Small Business Server 2003, and Windows 2000 (except for Windows 2000 SP2 and SP3)
To download the patch to update existing installations of the Microsoft VM, visit the Microsoft Windows Update Web site. Windows Update detects what version of Windows you are running and offers the appropriate patch. To locate the update, visit the &quot;Critical Updates&quot; section of the Microsoft Windows Update Web site:

http://windowsupdate.microsoft.com

For Windows 2000 SP2 and SP3 only
The following files are available for download from the Microsoft Download Center:

Download the 816093 package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Deployment Information
Network administrators can download this update from the Windows Update Catalog to deploy to multiple computers that already have the Microsoft VM installed:

http://v4.windowsupdate.microsoft.com/catalog

If you have to obtain this update to install later on one or more than one computer, search for this article ID number by using the Advanced Search Options in the Windows Update Catalog. For more information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:

323166 How to download Windows updates and drivers from the Windows Update Catalog

Notes  If you are running Windows Server 2003, Windows XP, or Windows 2000 SP4 without the Microsoft VM installed, you cannot install this update to the Microsoft VM. If you try to install this update to the Microsoft VM on a computer that does not already have the Microsoft VM installed that is running Windows Server 2003, Windows XP, or Windows 2000 SP4, you receive the following message:

Microsoft VM

This setup will only upgrade over an existing version of the Microsoft VM.

If you click OK, you receive the following message:

Microsoft VM

The installation is complete.

This message is incorrect. The Microsoft VM is not installed if you do not already have the Microsoft VM installed.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

820101 Frequently asked questions about the Microsoft VM and Windows 2000 Service Pack 4

813926 Differences between Windows XP Service Pack 1 and Windows XP Service Pack 1a

 To download this update for computers that have the Microsoft VM installed that are running Windows Server 2003, Windows XP, or Windows 2000 SP4, or for computers that are running Windows NT 4.0, Windows Millennium Edition (Me), Windows 98 Second Edition, or Windows 98, select Windows Server 2003, Windows XP, Windows 2000 SP4, Windows Millennium Edition, or Windows 98 for your operating system. Windows NT 4.0-based computers do not have access to the Windows Update Catalog. If you have to download a Windows NT 4.0 package to install on multiple computers or to install later, access the Windows Update catalog by using a computer than runs Windows 98, Windows Millennium Edition, Windows 2000, Windows XP, or Windows Server 2003, and then select Windows 98, Windows Millennium Edition, Windows 2000 SP4, Windows Server 2003, or Windows XP for your operating system. This security update will install on computers that already have the Microsoft VM installed that are running Windows 98, Windows Millennium Edition, Windows 2000 SP4, Windows Server 2003, Windows XP, or Windows NT 4.0. Administrators who do not have access to a computer that is running Windows XP, Windows 98, Windows Millennium Edition, Windows 2000, or Windows Server 2003 can contact Microsoft Product Support Services (PSS) to obtain the patch. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS



For more information about how to install the Microsoft VM silently without restarting your computer, click the following article number to view the article in the Microsoft Knowledge Base:

304930 How to install Microsoft Virtual Machine updates silently without restarting your computer

Prerequisites
This update will only install on computers that already have an earlier version of the Microsoft VM installed. Windows 2000 SP2 and Windows 2000 SP3 version of this Microsoft VM update requires Windows 2000 SP2 or later and cannot be installed on any other operating system. To download this update for Windows 2000 SP2 or Windows 2000 SP3 from the Windows Update Catalog, select either Windows 2000 SP2 or Windows 2000 SP3 for your operating system. For more information about how to obtain Windows 2000 SP2 or later, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

If you are using Windows NT 4.0, you must have Windows NT 4.0 SP3 or later installed to install this update. For more information about how to obtain the latest Windows NT 4.0 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

Restart Requirement
You must restart your computer after you install this update if you are updating the Microsoft VM build 3802 or earlier. (The Microsoft VM build 3802 is included with Windows 2000 SP2.) The update also requires an administrator logon after the restart to complete the installation. You do not have to restart your computer if you install the Java VM update over build 3805 through build 3810. (The Microsoft VM build 3805 is included with Windows 2000 SP3.)

Removal Information
This patch contains system files and protected components and therefore cannot be removed.

Patch Replacement Information
This update replaces the following updates:
 * http://www.microsoft.com/technet/security/bulletin/MS99-031.mspx
 * http://www.microsoft.com/technet/security/bulletin/MS99-045.mspx
 * http://www.microsoft.com/technet/security/bulletin/MS00-011.mspx
 * http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx
 * http://www.microsoft.com/technet/security/bulletin/MS00-081.mspx
 * http://www.microsoft.com/technet/security/bulletin/MS02-013.mspx
 * http://www.microsoft.com/technet/security/bulletin/MS02-052.mspx
 * http://www.microsoft.com/technet/security/bulletin/MS02-069.mspx

File Information
The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.   Date         Time   Version     Size       File name --  13-Mar-2003  14:51                  2,678  Classes.cer 13-Mar-2003 14:51              5,751,849  Classes.zip 17-Mar-2003 19:05  5.0.3810.0    404,752  Javart.dll 13-Mar-2003 18:33  5.0.3810.0    172,304  Jview.exe 17-Mar-2003 19:05  5.0.3810.0    946,960  Msjava.dll 13-Mar-2003 14:51                  2,678  Msjdbc.cer 13-Mar-2003 14:51                137,482  Msjdbc.zip 20-Mar-2002 08:53                 10,957  Osp.zip Note After you install the updated VM, all the .zip files will have different names. This is typical behavior and can be ignored. Also note that only some of the files in the Zip package have been changed for this release. However, these files cannot be packaged individually.



WORKAROUND
There are a number of workarounds that you may be able to apply temporarily while you evaluate and test the new Microsoft VM:
 * In an enterprise environment, you can use application filters at the firewall to examine and block mobile code.
 * You can use a later Microsoft e-mail client computer, such as a computer that is running Microsoft Outlook 2002 or Outlook Express 6. By default, the e-mail attack vector is prevented in later versions of Outlook. If you are using earlier Microsoft Outlook clients such as clients that are running Outlook 98 or 2000, the e-mail vector is blocked if the Outlook Email Security Update is used.
 * You can prevent Java applets from being run in the Internet Explorer Internet zone. Note that if you disable Java applets, your ability to view certain Web pages may be affected. To disable Java applets:
 * On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
 * In the Settings box, click Disable Java under Java Permissions, click OK, and then click OK again.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
To determine the Microsoft VM build number on a computer that is running Windows 98, Windows 98 Second Edition, or Windows Millennium Edition, follow these steps:
 * 1) Click Start, and then click Run.
 * 2) In the Open box, type command, and then click OK.
 * 3) At the command prompt, type jview, and then press ENTER.

The version information appears on the first line as &quot;Version ,&quot; where the last four digits are the build number. For example, 5.00.3802 is Microsoft VM build 3802.

To determine the Microsoft VM build number on a computer running Windows NT 4.0, Windows 2000, or Windows XP, follow these steps:
 * 1) Click Start, and then click Run.
 * 2) In the Open box, type cmd, and then click OK.
 * 3) At the command prompt, type jview, and then press ENTER.

Notice that the version information appears on the first line as &quot;Version ,&quot; where the last four digits are the build number. For example, 5.00.3802 is Microsoft VM build 3802.

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

