Vulnerability Note VU#237777

Microsoft Virtual Machine allows applets write access to the Standard Security Manager

Original Release date: 21 Jan 2003 | Last revised: 21 Jan 2003

Overview

A flaw in the Microsoft virtual machine (Microsoft VM) could allow malicious Java applets to block other, legitimate applets from running, resulting in a denial-of-service condition.

Description

The Microsoft virtual machine (Microsoft VM) enables Java programs to run on Windows platforms. The Microsoft VM is included in most versions of Windows and Internet Explorer.

The Standard Security Manager is a component of the VM’s security policy mechanism, and provides information about the restrictions that should be enforced when Java applets run within Internet Explorer. Among the information it can contain is a list of Java applets and modules that Java applets should not be able to invoke.

Microsoft's VM fails to disallow Java programs from writing to the Standard Security Manager. By design, only the VM itself should be able to add information to the Standard Security Manager. However, a flaw allows any Java program to do so. An attacker who successfully exploited this vulnerability could add other Java code to the "banned" list in the Standard Security Manager, and prevent the current instance of the Microsoft VM-enabled application (e.g., Internet Explorer, Outlook Express, etc.) from being able to use that code.

Impact

Exploitation of this vulnerability could result in a denial-of-service condition since a malicious program or applet may list other, legitimate programs or applets to the "banned" list in the Standard Security Manager. A malicious Java program that was designed to exploit this vulnerability could be hosted on an attacker's web page or introduced via HTML email.

Any applications that depended on the now-banned Java modules from operating properly would be adversely affected. These conditions would persist for the lifetime of that instance of the VM-enabled application. Subsequent instances, or other instances held in parallel, would not be affected.

Solution

Apply a patch from the vendor

Microsoft has issued Security Bulletin MS02-069 addressing this vulnerability. Users are encouraged to follow the instructions outlined in that bulletin and apply the patches that it refers to.


Workarounds

Disable Java

- if the ability to run Java applets is not required or desired, configure your web browser to not execute them. Information about disabling Java in various web browsers can be found here.

Note that disabling Java in your web browser may not mitigate this vulnerability for Java programs that are invoked via another method.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected26 Nov 200218 Dec 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Jouko Pynnonen for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CAN-2002-1292
  • Date Public: 12 Nov 2002
  • Date First Published: 21 Jan 2003
  • Date Last Updated: 21 Jan 2003
  • Severity Metric: 1.95
  • Document Revision: 15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.