Microsoft Warns of Flaws in VM

Microsoft released fixes for eight new vulnerabilities in its Virtual machine software.

Microsoft Corp. Thursday released fixes for eight new vulnerabilities in its Virtual machine software, the most serious of which gives attackers the ability to take control of vulnerable PCs.

The Microsoft VM is used to run Java applets in Windows environments and ships with most versions of Windows and Internet Explorer.

The most dangerous of the new flaws lies in the way that Java programs access COM objects. The vulnerability allows untrusted applets to access some COM objects, making it possible for an attacker to completely compromise a target system.

Two of the other vulnerabilities allow a Java applet to disguise the location of its code base. This, in turn, could allow an applet on a Web site—which by default has read access to the folder in which it resides and the folders below it—to mask its location and act as if its located on a users local machine or network share.

There is also a vulnerability that results from the Virtual machines failure to prevent applets from calling a certain set of APIs that provide database access methods. An attacker who exploits this flaw could take any action on a database file, limited only by the local users permissions.

The four other vulnerabilities are less serious, with implications that range from information disclosure to IE crashing.

The VM installs by default with Windows 95, 98 and 98SE, Me, NT 4.0 beginning with Service Pack 1, 2000 and XP from SP 1 on.

The patch for these vulnerabilities is available on the Windows Update Web site.

Microsoft, of Redmond, Wash., also released a patch for a flaw in Windows NT 4.0, 2000 and XP that leads to privilege escalation and another in the Server Message Block protocol in Windows 2000 and XP that allows an attacker to change group policies.