Microsoft VM

Pues están equivocados.Para la VM de Microsoft el parche está
disponible desde 2003:
(What does the patch do?
The patch eliminates the vulnerability by ensuring the ByteCode
Verifier carries out the correct checks when loading a Java applet).


Microsoft Security Bulletin MS03-011
Flaw in Microsoft VM Could Enable System Compromise (816093)

Originally posted: April 09, 2003
Updated: April 13, 2003

Summary
Who should read this bulletin:
Customers using Microsoft® Windows®.

Impact of vulnerability:
Allow attacker to execute code of his or her choice.

Maximum Severity Rating:
Critical

Recommendation:
Customers should install build 3810 or later of the Microsoft VM, as
discussed below

End User Bulletin:
An end user version of this bulletin is available at:
http://www.microsoft.com/security/b...ndows.mspx

Affected Software:

? Versions of the Microsoft virtual machine (Microsoft VM) are
identified by build numbers, which can be determined using the JVIEW
tool as discussed in the FAQ. All builds of the Microsoft VM up to and
including build 5.0.3809 are affected by these vulnerabilities.


Top of section
General Information
Technical details

Technical description:

The Microsoft VM is a virtual machine for the Win32® operating
environment. The Microsoft VM is shipped in most versions of Windows (a
complete list is available in the FAQ), as well as in most versions of
Internet Explorer.

The present Microsoft VM, which includes all previously released fixes
to the VM, has been updated to include a fix for the newly reported
security vulnerability. This new security vulnerability affects the
ByteCode Verifier component of the Microsoft VM, and results because
the ByteCode verifier does not correctly check for the presence of
certain malicious code when a Java applet is being loaded. The attack
vector for this new security issue would likely involve an attacker
creating a malicious Java applet and inserting it into a web page that
when opened, would exploit the vulnerability. An attacker could then
host this malicious web page on a web site, or could send it to a user
in e-mail.

Mitigating factors:

? In order to exploit this vulnerability via the web-based attack
vector, the attacker would need to entice a user into visiting a web
site that the attacker controlled. The vulnerability itself provide no
way to force a user to a web site.

? Java applets are disabled within the Restricted Sites Zone. As a
result, any mail client that opened HTML mail within the Restricted
Sites Zone, such as Outlook 2002, Outlook Express 6, or Outlook 98 or
2000 when used in conjunction with the Outlook Email Security Update,
would not be at risk from the mail-based attack vector.

? The vulnerability would gain only the privileges of the user, so
customers who operate with less than administrative privileges would be
at less risk from the vulnerability.

? Corporate IT administrators could limit the risk posed to their users
by using application filters at the firewall to inspect and block
mobile code.


Severity Rating:

Microsoft VM
Critical


The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0111

Tested Versions:

Microsoft tested VM builds 5.0.3802 and later to assess whether they
are affected by these vulnerabilities. Previous versions are no longer
supported, and may or may not be affected by these vulnerabilities.

Top of section
Frequently asked questions

What security vulnerability is eliminated by the new VM build?
This VM build includes all previously released security fixes, as well
as fixing a newly reported security vulnerability that affects the
ByteCode Verifier and could allow an attacker to run code of his or her
choice on a user's system.

What is the Microsoft VM?
The Microsoft virtual machine (Microsoft VM) enables Java programs to
run on Windows platforms. The Microsoft VM is included in most versions
of Windows and Internet Explorer. The vulnerability discussed here
affects all customers who have the Microsoft VM.

I don't know if the Microsoft VM is installed on my system. How can I
tell?
If you're using any of the following versions of Windows, you
definitely have the Microsoft VM installed:

? Microsoft Windows 95

? Microsoft Windows 98 and 98SE

? Microsoft Windows Millennium

? Microsoft Windows NT 4.0, beginning with Service Pack 1

? Microsoft Windows 2000 versions prior to Service Pack 4

? Microsoft Windows XP


The Microsoft VM also shipped as part of several versions of Internet
Explorer and other products. If you're in doubt about whether you have
it installed, do the following:

1.
Select Start, then Run.

2.
Open a command box, as follows:

? If you are running Windows 98 or Windows Millennium, type "command"
(without the quotes), then hit the enter key.

? If you are running Windows NT 4.0, Windows 2000, or Windows XP, type
"cmd" (without the quotes), then hit the enter key.

? In the resulting command box, type "Jview" (without the quotes). If a
program runs, you have the Microsoft VM installed. If you receive an
error saying that no program by that name exists, you don't.




Is this a new version of the Microsoft VM?
Yes, Microsoft VM build 3810 is a new release of the Microsoft VM.

How can I tell what version of the Microsoft VM I'm using?
Here's how to determine the build number you're using:

1.
Select Start, then Run.

2.
On Windows 95, 98, or Me, type "command" (without the quotes). On
Windows NT 4.0, 2000, or XP, type "cmd" (again, without the quotes).
Hit the enter key.

3.
In the result command box, type "Jview" (without the quotes) and hit
the enter key.

4.
In the topmost line of the resulting listing, you should see a version
number of the form x.yy.zzzz. The final four digits are the version
number.


Once I know the version number, what should I do?
Use the table below to determine the right action.

If the version number is. . . You should. . .
3809 or less
Apply Microsoft VM build 3810. (Available from Windows Update).

3810 or higher
Do nothing. You're using a version that's already protected against
these vulnerabilities.


I'm a network administrator. I see that the patch is available on
Windows Update, but I'd like to download it and update the Microsoft VM
on my users' systems. Can I do this?
Yes. You may update existing Microsoft VMs by following these steps:

1.
Go to the Windows Update web site.

2.
In the left pane, under Other Options, select "Personalize Windows
Update".

3.
Under "Set Options for Windows Update", select the checkbox for
"Display the Link to Windows Update Catalog under 'See Also'", then
click "Save Settings".

4.
Go back to the Windows Update web site.

5.
In the left pane, under "See Also", select "Windows Update Catalog".

6.
Select "Find Updates for Microsoft Operating Systems".

7.
Select the operating system and language of your choice.

8.
Select "Critical Updates and Service Packs".

9.
Select all of the patches you'd like to download, then click on "Go to
download basket" to download them.


For more information on using the Windows Update Catalog, please see
the following references:

? Windows NT 4.0: Microsoft Knowledge Base Article 313191.

? All other operating systems: Microsoft Knowledge Base Article 323166.


What causes the vulnerability?
The Vulnerability results because of a flaw in the way the ByteCode
Verifier checks code when it is initially being loaded by the Microsoft
VM.

What is the ByteCode Verifier?
The ByteCode Verifier is a low level process in the Microsoft VM that
is responsible for checking the validity of code - or byte code - as it
is initially being loaded into the Microsoft VM.

What's wrong with the ByteCode verifier in the Microsoft VM?
There is a flaw in the way the ByteCode Verifier conducts its checks
when it is loading code. It does not check correctly for a particular
illegal sequence of byte codes, therefore a malicious applet could be
used to take advantage of this missing check and bypass subsequent
security checks.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to construct a malicious
Java applet which could be used to execute code of the attacker's
choice on a user's machine. The attacker could only run their code with
the same permissions as the user, so any restrictions placed on the
user would also affect the attacker as well.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a
malicious Java applet and inserting it into a web page. The web page
could then be hosted on a web site, or sent to a user in e-mail.

What risk would the mail-based attack vector pose?
The disadvantage to an attacker of sending an applet in an HTML mail is
that most recent Microsoft mail clients do not allow Java applets in
email to run. By default, Outlook Express 6 and Outlook 2002 prevent
Java applets embedded in HTML mail from running. Similarly, Outlook 98
and 2000 prevent Java applets from running if the Outlook Email
Security Update has been installed. The advantage to the attacker of is
that they could target specific users - that is, the attacker wouldn't
need to wait for users to visit their web site, but instead could send
the applet directly to them.

What does the patch do?
The patch eliminates the vulnerability by ensuring the ByteCode
Verifier carries out the correct checks when loading a Java applet.



Workarounds

Are there any workarounds that I can apply while I am evaluating or
testing the new Microsoft VM?
There are a number of workarounds that you may be able to apply
temporarily while you evaluate and test the new Microsoft VM:

? In an enterprise environment, application filters may be used at the
firewall to inspect and/or block mobile code

? The e-mail attack vector is prevented by default if one of the later
Microsoft e-mail clients is used, such as such as Outlook 2002 or
Outlook Express 6. With earlier Microsoft Outlook clients such as
Outlook 98 or 2000, the e-mail vector is blocked if the Outlook Email
Security Update is used.

? Java applets can be prevented from executing in the Internet Explorer
Internet Zone. Note that disabling Java applets may affect your ability
to view certain web pages. To do this carry out the following
instructions:

? On the Tools menu, click Internet Options, click the Security tab,
and then click Custom Level.

? In the Settings box, click Disable Java under Java Permissions, click
OK and then click OK again.



Top of section
Patch availability

Download locations for this patch Download locations for this patch

? The patch is available to update existing Microsoft VMs via the
Windows Update web site.

? Customers running Windows 2000 Service Pack 2 or Windows 2000 Service
Pack 3 can obtain this security update at:

? All except Japanese NEC

? NEC Japanese

Note: A version of the patch that can be downloaded and deployed
throughout a network is available. Information on obtaining it is
available in the FAQ.

Note Customers running Windows 2000 Service Pack 4 should see Knowledge
Base article 820101 for more information.


Additional information about this patch

Installation platforms: The new VM build can be installed to update
Microsoft VMs on the following versions of Windows:

? Microsoft Windows 98 and 98SE

? Microsoft Windows Millennium

? Microsoft Windows NT 4.0, beginning with Service Pack 3

? Windows 2000 Service Pack 2 or Windows 2000 Service Pack 3

? Note Customers running Windows 2000 Service Pack 4 users should see
Knowledge Base article 820101 for more information


? Microsoft Windows XP Gold or Service Pack 1


Inclusion in future service packs:

The fixes included in this build will be included in all future VM
builds.

Reboot needed: Yes

Patch can be uninstalled: No

Superseded patches:

The new VM build supersedes all builds prior to and including 5.0.3809.
It includes fixes for all issues discussed in the following Microsoft
security bulletins:

? MS99-031

? MS99-045

? MS00-011

? MS00-059

? MS00-075

? MS00-081

? MS02-013

? MS02-052

? MS02-069


Verifying patch installation: Knowledge Base article 816093 provides
information to verify that you've installed the patch.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations
discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following
locations:

? Security patches are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".

? Patches for consumer platforms are available from the WindowsUpdate
web site


Top of section
Top of section
Other information:
Support:

? Microsoft Knowledge Base article 816093 discusses this issue and will
be available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support
web site.

? Technical support is available from Microsoft Product Support
Services. There is no charge for support calls associated with security
patches.


Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if Microsoft Corporation
or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.

Revisions:

? V1.0 (April 09, 2003): Bulletin Created.

? V1.1 (April 14, 2003): Corrected Windows NT 4.0 Service Pack
requirements

? V1.2 (June 27, 2003): Updated for Windows 2000 Service Pack 4

? V1.3 (April 13, 2004): Updated Windows 2000 Service Pack 4
information.


fermu wrote :

Hash: SHA1

Horacio Alfredo Comes escribió:

| La de MS, no (desde 2003).

http://secunia.com/advisories/12047/

Saludos
Fernando M. / Registered Linux User #367696

Saudações

Horacio Alfredo Comes

Todas las de Sun son vulnerables. Son unos delincuentes. La de
Microsoft no lo es.

Microsoft Security Bulletin MS03-011
Flaw in Microsoft VM Could Enable System Compromise (816093)
What does the patch do?
The patch eliminates the vulnerability by ensuring the ByteCode
Verifier carries out the correct checks when loading a Java applet.

JM Tella Llop [MVP Windows] pretended :

Ha salido ya la version 1.5 desde hace unas semanas. pruebala.

Jose Manuel Tella Llop
MVP - Windows
(quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no
otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.



"Geno" wrote in message
news:1bef01c4aca7$38c13ac0$ Mil gracias por dedicarme tu
tiempo con tanto interes.Efectivamente no tengo VM,tengo Java 2 Runtime
Environment SE v1.4. 02.Además de Java (TM)Web Star,que
no tengo idea de que puede ser.El origen de esta consulta
era que las casas de antivirus se refietren a siempre a
VM cuando eres vulnerable a Byte Verify,y yo lo soy. ¿Qué
puedo hacer?.Gracias de nuevo por tu amable
paciencia.Atentamente:Geno

¿Tienes instalada la MSJVM? Si es así, comprueba cuál es la versión
instalada. Desde una consola de comandos (cmd), escribe *jview*, si te
aparece un mensaje como éste...:

"Cargador de línea de comandos de Microsoft (R) para Java Versión 5.00.3810
Copyright (C) Microsoft Corp 1996-2000. Todos los derechos reservados."

es que tienes instalada la JVM de Microsoft .Observa la versión:
5.00.3810 . Debe ser ésta, si no lo es, debes actualizarla mediante el
patch ofrecido por Microsoft:

**MS03-011: Un error en la Máquina virtual (VM) de Microsoft podría poner
en peligro el sistema http://support.microsoft.com/default.aspx?
scid=kb;es;816093

En cambio, si te aparece un mensaje parecido a éste:

"jview no se reconoce como un comando interno o externo, programa o archivo
por lotes ejecutable"

... es que NO la tienes instalada, y por lo tanto deberás instalar la de
Sun Microsystems:

Máquina Virtual de Java para Windows 98/98SE/Me/NT/2000/XP (de SUN
Microsystems, Inc) http://java.sun.com/getjava/es/inst...ndows.html


Saludos,
Enrique Cortés
Microsoft MVP - Windows - IE/OE
(quita la Z)

Instala ya mismo el Service Pack 2 (SP2), la actualización más importante
para Windows XP, que incluye todas las actualizaciones críticas hasta la
fecha y protegerá tu seguridad en general gracias a Windows Security
Center. Haz clic en el siguiente enlace:
http://www.microsoft.com/downloads/details.aspx?

displaylang=es&FamilyID9c9dbe-3b8e-4f30-8245-
9e368d3cdb5a

Este mensaje se proporciona "como está", sin garantías de ninguna clase y
no otorga ningún derecho.
This posting is provided "AS IS" with no warranties, and confers no rights.

"Geno" escribió en el mensaje
news:0a9e01c4ac6d$6828bed0$



Por favor ¡ayuda!,no puedo poner fín a esta
vulnerabilidad.He leído toda la información que he
encontrado al respecto (MS03-11...etc).He realizado las
pruebas y mi sistema no refleja que exista la VM.¿Qué
puedo hacer?.A cada análisis con diferentes antivirus,
casi siempre aparece Byte.Tengo Internet Explorer6 y XP
Home Edition 5.1.2600.¿Podrias dedicarme algo de tu
tiempo?.Atentamente:Geno
Nota:mi antivirus es Norton.Hay una pág. de ayuda
(Security Response) muy detallada,pero desgraciadamente
en ingles.



.

Saudações

Horacio Alfredo Comes