Bug leaves Windows open to Java attack

[InfoSec News <isn () c4i org>]

http://news.zdnet.co.uk/story/0,,t269-s2133253,00.html

Matthew Broersma   
10th April 2003

Microsoft said that its Virtual Machine fails to catch certain
malicious code in Java applets, allowing an attacker to take control
of a PC

Microsoft has warned of three new flaws affecting its software, the
most serious of which would allow an attacker to gain full control of
a user's PC using a Java applet.

The three warnings, all issued on Wednesday, involve the Microsoft
Virtual Machine for running Java applets on Windows; a cross-site
scripting bug in a component of Windows 2000 and Windows NT 4.0; and a
denial-of-service bug affecting Proxy Server 2.0 and ISA Server.

With the three alerts, Microsoft has issued 12 new warnings so far
this year. Late last month the company issued patches for Windows and
IIS.

The Virtual Machine (VM) flaw is the most serious, meriting a
"critical" rating from Microsoft. The VM ships with most versions of
Windows and some versions of Internet Explorer, and is used to run
programs called "applets" written in Sun Microsystems' Java language.

A VM component called the ByteCode Verifier does not correctly check
for the presence of certain malicious code when the applet is being
loaded, meaning that an attacker could slip malicious code onto a
user's PC. This malicious applet, which could be delivered via a Web
page or an email, could allow the attacker to run code of his choice
on the PC, doing anything from erasing the hard drive to implanting a
"back door" leaving the machine vulnerable to future attacks.

Microsoft said that Windows installations containing the VM include
Windows 95, Windows 98 and 98SE, Windows ME, Windows NT 4.0, beginning
with Service Pack 1, Windows 2000 and Windows XP.

VM builds 5.0.3802 up to and including build 5.0.3809 were tested and
found to be affected, although earlier builds are probably also
vulnerable, the company said. The latest builds, 3810 and later,
should be downloaded and installed in order to eliminate the
vulnerability. Instructions for downloading and installing the
software can be found on Microsoft's Web site.

Microsoft noted that for the exploit to work, the attacker would have
to entice the user to view a malicious Web site or open a malicious
email. Email clients that place restrictions on HTML content in
messages, such as some newer versions of Outlook, would prevent the
attack from succeeding.


Cross-site scripting bug

The Cross-site scripting (CSS) bug affects Microsoft Indexing Services
for Windows 2000 and Windows NT 4.0. Cross-site scripting attacks were
first publicised in February of 2000, and can affect a variety of
different server-side software, enabling an attacker to insert
malicious code into a user's browsing session via a trusted Web site.

Microsoft said that a component of Indexing Services called
CiWebHitsFile is vulnerable to a CSS attack, and released a patch to
fix it. Indexing Services is a search service integrated into Internet
Information Server and Windows 2000.


Denial of service vulnerability

Microsoft's Proxy Server 2.0 and ISA Server contain a vulnerability
that allows an attacker from within the network to put them out of
commission using a specially-crafted data packet.

The packet causes the software to hit 100 percent CPU utilisation and
stop responding to internal and external requests. While a reboot
allows the software to function again, it is still vulnerable to the
same attack.

Specifically, the two pieces of software both contain a flawed version
of the Winsock Proxy service, which enables certain client-side
applications to function as though they had a direct Internet
connection, while routing their traffic through an internal server.

Microsoft released a patch for the bug on its Web site, and noted that
while the attack could shut the servers down, it did not allow a
hacker to gain any higher privileges or compromise any content cached
on the server.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.