Microsoft warns of Java flaws

By Joe Wilcox, Staff Writer
CNET

December 12, 2002

Microsoft late Wednesday issued a "critical" security alert for a series of Java Virtual Machine bugs, one of which could allow a hacker to steal information or reformat the hard drives of compromised computers.

The alert, which relates to Microsoft's version of the JVM, comes a week after Sun Microsystems asked a federal judge to issue an injunction compelling the software titan to carry Sun's version of the JVM in the Windows XP operating system. Microsoft's version of the JVM is based on 5-year-old Sun technology.

Microsoft gave the series of JVM glitches its highest alert rating because the extensive amount of damage a hacker could do if a computer is compromised. The Redmond, Wash.-based company identified eight vulnerabilities in all, rating one "critical," two as "important," two "moderate" and three "low."

The most serious of the security holes "could enable an attacker’s Java applet to gain control over another user’s system," according to the alert. "This would enable the attacker to take any desired action on the user’s system; for instance, the attacker could add, delete or change data on the user’s system; communicate with Web sites; load and run programs; reformat the hard drive, and so forth."

The exploit is possible because of a flaw in the way Microsoft's JVM handles software written to Microsoft’s Component Object Model (COM). "Although the Microsoft (JVM) has security checks to prevent Java applets from invoking COM objects, there is a method of invoking them that bypasses the checks," according to the security bulletin.

A hacker could use a Web site or HTML-based e-mail to begin the attack.

The two "important" flaws "could enable an attacker to read--but not change, add or delete--files from another user’s system, and potentially from other network shares that the user has read access to," according to Microsoft's security alert. Both exploits would take advantage of a flaw in how Microsoft's JVM handles the Java Applet tag. This would allow the hacker to create a Java applet that loads from a different Web site than the one the browser is accessing. The exploit would allow the hacker to access, but not change, any local or network files a person has rights to.

The first of the two "moderate" flaws would allow a hacker's Java applet to pose as coming from another location, or domain, in a Web browser that is different from where the browser says the user is. The hacker would then be able to collect information, including login names and passwords, using the fake Web site.

The second moderate exploit would take advantage of a flaw in Microsoft's application programming interface (API) code for connecting to databases. "This vulnerability could enable an attacker to access databases in the guise of another user," according to the security alert. "If successfully exploited, it would enable an attacker to read, add, change or delete data in any data source the user has access to."

Two of the three "low" rated vulnerabilities would cause nuisances. One would prevent the JVM from running and another could crash Internet Explorer. But the third one, which would allow a Java applet to access supposedly secure system settings, would allow a hacker to pilfer the user name.

Microsoft encourages all Windows users to update their JVM to a newer version, which is available from the Windows Update Web site.

Microsoft issued two additional security alerts on Wednesday, one that would allow a hacker to seize control over a compromised computer and another that would let a hacker change group policies.

The first exploit, given the rating of important, takes advantage of a flaw in a timer message sent at the end of a system process.

"An attacker who successfully exploited this vulnerability could gain unwarranted privileges on a system," according to a Microsoft security bulletin. "In this case, the attacker could gain full administrative privileges, thereby gaining the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group."

Microsoft rated the flaw important--not critical--because the hacker would require some other kind of authorized access to the computer to fully exploit the security bug. The problem affects Windows NT 4, Windows NT 4 Terminal Server Edition, Windows 2000 and Windows XP.

Separate patches are available for all affected operating systems: Windows NT 4, Windows NT 4 Terminal Server Edition, Windows 2000, Windows XP and Windows XP 64-bit Edition.

The final exploit, rated moderate, would let a hacker use the Server Message Block protocol to change group policy settings on a compromised computer. "By doing this, the attacker could take actions such as adding users to the local administrators group or installing and running code of his or her choice on the system," according to the Microsoft security alert.

Windows XP systems with Service Pack 1 installed are not vulnerable to this exploit, according to Microsoft. Patches are available for Windows 2000, Windows XP and Windows XP 64-bit Edition.

The new security problems come less than a week after Microsoft raised to critical from moderate a flaw affecting Internet Explorer. Security experts had sharply criticized Microsoft for downplaying the seriousness of the security breach.

In late November, Microsoft grappled with an even more serious flaw, affecting Internet Explorer and also the Internet Information Server software, which potentially exposed more than 4 million Web sites to hackers.

Copyright 2002 CNET Networks, Inc.