Flaw Microsoft Virtual Machine patched

Discussion in 'other security issues & news' started by Pieter_Arntz, Dec 12, 2002.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Microsoft Security Bulletin MS02-069 Print


    Flaw in Microsoft VM Could Enable System Compromise (810030)
    Originally posted: December 11, 2002

    Summary
    Who should read this bulletin: Customers using Microsoft® Windows®.

    Impact of vulnerability: Eight vulnerabilities, the most serious of which would enable an attacker to gain control over another user's system.

    Maximum Severity Rating: Critical

    Recommendation: Customers should install build 3809 or later of the Microsoft VM, as discussed below.

    Affected Software:

    Versions of the Microsoft virtual machine (Microsoft VM) are identified by build numbers, which can be determined using the JVIEW tool as discussed in the FAQ. All builds of the Microsoft VM up to and including build 5.0.3805 are affected by these vulnerabilities.

    Source

    Regards,

    Pieter
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    You know, I don't have a clue what M$s virtual machine is.
    If I don't know what it is, is it possible I am still using it?
    You know, like is it a part of the OS?
    See! I don't know squat. :D
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    If you're running Windows, you could be using it. If you're using IE as a browser and you didn't replace it by Sun's Java you are using it a lot.
    If you're running XP you should read this first.

    And don't say you don't know squat. No-one is gonna believe you anyway :)

    Regards,

    Pieter
     
  4. FanJ

    FanJ Guest

    For Microsoft VM see:
    http://www.microsoft.com/java/

    What is the Microsoft VM?
    The Microsoft virtual machine (Microsoft VM) enables Java programs to run on Windows platforms. The Microsoft VM is included in most versions of Windows and Internet Explorer.
    The vulnerabilities here affect all customers who have the Microsoft VM.

    I don’t know if the Microsoft VM is installed on my system. How can I tell?
    If you’re using any of the following versions of Windows, you definitely have the Microsoft VM installed:
    Microsoft Windows 95
    Microsoft Windows 98 and 98SE
    Microsoft Windows Millennium
    Microsoft Windows NT 4.0, beginning with Service Pack 1
    Microsoft Windows 2000
    Microsoft Windows XP, beginning with Service Pack 1

    The Microsoft VM also shipped as part of several versions of Internet Explorer and other products and was incorporated into Windows XP via install on demand.

    If you’re in doubt about whether you have it installed, do the following:
    1. Select Start, then Run.
    2. Open a command box, as follows:
    If you are running Windows 98 or Windows Millennium, type “command” (without the quotes), then hit the enter key.
    If you are running Windows NT 4.0, Windows 2000, or Windows XP, type “cmd” (without the quotes), then hit the enter key.
    3. In the resulting command box, type “Jview” (without the quotes). If a program runs, you have the Microsoft VM installed. If you receive an error saying that no program by that name exists, you don’t.

    Is this a new version of the Microsoft VM?
    Yes, Microsoft VM build 3809 is a new release of the Microsoft VM.


    How can I tell what version of the Microsoft VM I’m using?
    Here’s how to determine the build number you’re using:
    1. Select Start, then Run.
    2. On Windows 95, 98, or Me, type “command” (without the quotes). On Windows NT 4.0, 2000, or XP, type “cmd” (again, without the quotes). Hit the enter key.
    3. In the result command box, type “Jview” (without the quotes) and hit the enter key.
    4. In the topmost line of the resulting listing, you should see a version number of the form x.yy.zzzz. The final four digits are the version number.

    Once I know the version number, what should I do?
    Use the table below to determine the right action.
    If the version number is ...  You should ...
    3805 or less ... Apply Microsoft VM build 3809. (Available from Windows Update).
    3805 plus MS02-052 patch released in September 2002 ... Apply Microsoft VM build 3809. (Available from Windows Update).
    3809 or higher ... Do nothing. You’re using a version that’s already protected against these vulnerabilities.
    [hr]
    I’m a network administrator. I see that the patch is available on Windows Update, but I’d like to download it and install it on my users’ systems. Can I do this?
    Yes. You may update existing Microsoft VMs by following these steps:
    1. Go to the Windows Update web site.
    2. In the left pane, under Other Options, select “Personalize Windows Update”.
    3. Under “Set Options for Windows Update”, select the checkbox for “Display the Link to Windows Update Catalog under ‘See Also’”, then click “Save Settings”.
    4. Go back to the Windows Update web site.
    5. In the left pane, under “See Also”, select “Windows Update Catalog”.
    6. Select “Find Updates for Microsoft Operating Systems”.
    7. Select the operating system and language of your choice.
    8. Select “Critical Updates and Service Packs”.
    9. Select all of the patches you’d like to download, then click on “Go to download basket” to download them.
     
  5. FanJ

    FanJ Guest

    As an example I give here a screenshot of a part of the window which I got on my Windows 98 SE Dutch (IE 5.5 SP2), when I was looking for which version of VM I have on my system:
     

    Attached Files:

  6. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Ok, I have it. I have also downloaded SunMicro Java for Opera and never use IE.
    I think I'll take my chances and not mess with it.
    Thanks for the help guys. :D
     
  7. FanJ

    FanJ Guest

    I installed the patch and had another look using that Jview as described above, it gives now indeed 3809
     

    Attached Files:

  8. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Those who run proxomitron with web page filter "Kill All Java Aplets" selected, have unknowingly been protected from this flaw if they use proxo consistently in general surfing.

    Although sounds like an email based attack is also possible.

    Of course if you run mail washer you would be able to discern the bad email from the good.

    Nice to have these proggies...

    But time to get the patch just to be on the safe side... ;)

    backing up my system just in case - usually no uninstall with M$ patches.

    addendum:

    sad part about it is I have to disable proxomitron in order to get to the M$ update page... LOL

    proxo killing all kinds of stuff when I try to access the update page
     
  9. FanJ

    FanJ Guest

  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Took me two tries and well over half an hour as well :(

    Regards,

    Pieter
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    Well, the problem seems to lie with the fact that there are two Critical Updates on offer: VM and Q328310

    I tried in vain to download them both, and the download never completed.

    I got "The following updates failed to install" time and time again.

    Every time it froze at 5.1 MB, which I finally realized was the exact size of the VM update.

    So I removed Q328310, elected to download VM only, and it went without a hitch.

    I'm downloading Q328310 as we speak, and although the progress is sloooooow, it's progressing.
     
  12. FanJ

    FanJ Guest

    Hi Ton,

    If you got Q328310 installed, could you tell us if it shows up in Help > About in IE.
    It does not here on my system; I guess I have to look further.....

    Thanks,
    Cheers, Jan.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi FanJ,

    I´ve got that update and its not in the list you are referring to.

    Regards,

    Pieter
     

    Attached Files:

  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    It downloaded, but it wont install.

    There are problems with the patch. The MS WindowsUpdate newsgroup is teeming with people unable to download or install either or both of these patches.
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    BTW, about this particular vulnerability, according to MS, "The attacker would need the ability to log onto the computer to carry out an attack", so I'm not really worried of being a sitting duck here at home.... :D
     
  16. FanJ

    FanJ Guest

    Unless it starts freezing here again and the duck can't hardly move ;)

    Hey Ton and Pieter, thanks for the info !
    Please keep us informed about what's going on with those updates.
     
  17. FanJ

    FanJ Guest

    OK, I see now at least that that update Q328310 (MS02-071) is not for me, because I run Windows 98 SE.

    [hr]

    Microsoft Security Bulletin MS02-071   
    Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310)
    Originally posted: December 11, 2002

    Summary
    Who should read this bulletin: Customers using Microsoft® Windows® NT 4.0, Windows 2000, and Windows XP.
    Impact of vulnerability: Privilege elevation
    Maximum Severity Rating: Important
    Recommendation: Customers should install the patch at the earliest opportunity.
    Affected Software:
    Microsoft Windows NT 4.0
    Microsoft Windows NT 4.0, Terminal Server Edition
    Microsoft Windows 2000
    Microsoft Windows XP

    End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms02-071.asp.


    Technical description:

    Windows messages provide a way for interactive processes to react to user events (e.g., keystrokes or mouse movements) and communicate with other interactive processes. One such message, WM_TIMER, is sent at the expiration of a timer, and can be used to cause a process to execute a timer callback function. A security vulnerability results because it's possible for one process in the interactive desktop to use a WM_TIMER message to cause another process to execute a callback function at the address of its choice, even if the second process did not set a timer. If that second process had higher privileges than the first, this would provide the first process with a way of exercising them.
    By default, several of the processes running in the interactive desktop do so with LocalSystem privileges. As a result, an attacker who had the ability to log onto a system interactively could potentially run a program that would levy a WM_TIMER request upon such a process, causing it to take any action the attacker specified. This would give the attacker complete control over the system.
    In addition to addressing this vulnerability, the patch also makes changes to several processes that run on the interactive desktop with high privileges. Although none of these would, in the absence of the TM_TIMER vulnerability, enable an attacker to gain privileges on the system, we have included them in the patch to make the services more robust.

    Mitigating factors:
    An attacker would need valid logon credentials to exploit the vulnerability. It could not be exploited remotely.
    Properly secured servers would be at little risk from this vulnerability. Standard best practices recommend only allowing trusted administrators to log onto such systems interactively; without such privileges, an attacker could not exploit the vulnerability.
    Severity Rating:
    Windows NT 4.0   Important
    Windows NT 4.0, Terminal Server Edition   Important
    Windows 2000   Important
    Windows XP   Important
    The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

    Vulnerability identifier: CAN-2002-1230

    Tested Versions:
    Microsoft tested Windows NT 4.0, Windows NT 4.0, Terminal Server Edition, Windows 2000, and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I still read pro and contra the IE 6.0 SP1, i see now about everybody with the IE SP1, is that correct, no more problems with that? I think i should better get that before getting the new patches, correct?
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    No real problems with IE6SP1 just the annoyance of the red crosses sometimes :( But I´d rather have that then leave the security issues unpatched.

    Regards,

    Pieter
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks, going for that to start with , after the VM and whatever is left.
    OK all is there (just missed a few things)
    Wondering why my system seems to run faster now: did they remove half of the content of IE with those updates (downgrades?)

    Grgrgrgr just found out something must have been changed, so i can't get access to my hotmail account anymore: i see in stead of reading a cookie or whatever action a whole script on my page about setting and reading the cookie,whole page filled with that garbadge;
    almost the same i see in the header on every page now in the yahoo account.
    So i suppose i have completely unexpectedly to change some settings? Is there any experience with this?
    I tried everything i could think of: changing the cookie settings in security > advanced to checked everything and trying every option, deleting the old cookie, nothing helps.
    Any urgent ideas? As we nowadays have to visit the hotmail account once every 30 days and my time is due to visit it online for not losing it alltogether, so this is really bad bad case.

    Thanks in advance for urgent help.
    Of course the site doesn't offer any help, only for lost passwords and deleting the account, but not any suggestion about browser settings/changes with that terrible SP1. I read there were some urgent problems with it, causing people even to reinstall their windows to get rid of it, i hope i'm not the next running in the same situation.
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    As expected not any help from MS nor Hotmail, causing it to everything except their own software (MS) or settings/web certificates on their own site (hotmail, even though the displayed cookies are expired 1969 etc, seeing the whole posting) and recommending to get rid of a firewall.
    Nah, where it is i don't know, as also with Netscape nor IE 6.0 i can get access to the hotmail mailbox at all since the last security update.
    Tried all, even firewall down.
    OK, one last option, an own made browser without any security. I know, a risk, but just for testing purposes.
    Jumped in without any problem, could email and delete and compose like before.

    Now you want to know the browser, of course.
    First make sure you have TDS up and running.
    TDS > SS3 > Load Script > Scripts > Examples > Web > Custome browser > drag the webform.ss3 to notepad and edit the URL, save, > see in the same folder Load.SS3, doubleclick the thing and either you jump immediately in the place you weant to be or you have to type "showbrowser" as one of the options. Very nice, has nothing so can't conflict with any other software you're using, and you might like it so much you will find your protection in other proxies and whatever you use.
    So, if a website is troubling, here is your own Wayne-made browser, DiamondCS Gates open the world of internet for you.
    See you back in the TDS forum for more!
     
  22. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Jooske! Thank you for posting that! Here i thought it was something i did (or un-did) that stopped my accessing hotmail. i haven't been able to get into my hotmail acc't with IE-SP1 for the past week. Nothing i have tried has let me get to the final page with IE. Even with Opera, the only way i could get in was to set the cookies (even the 3rd party cookies) to accept from all servers. Grrrrr!

    i didn't d/l the last critical updates until just this morning....but they didn't help at all.

    oh well, i only go into hotmail once a month just to keep it alive.....but at least i know i am not alone, and there is no way i am putting hotmail in my trusted zone (although i don't think that would help anyways since when i tried i had literally enabled everything) ~shakes head~

    snap
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Think we tried the same steps, and i removed them from the trusted zone too immediately aftes trying.
    The firewall developers will be interested in the accusitions to be the cause like hotmail/msn wrote me, while their software has not changed at all. And even with fw completely down no change.
    Hotmail has just to update their certificates and cookie settings expired in 1969, and whatever changed settings. Strange this has not caused any problems until those last updates/patches.
    And another thing: i was told yahoo and hotmail work together and would share even some mailservers, not sure if this is true, but i can enter yahoo without problems, only every page inside the mailbox has a header filled with garbadge, same like the cookie setting page in hotmail, although i did not see dates like 1969 or other expiry dates there.
    Glad to know i'm not the only one with the hotmail problems, must be thousands of other users too. If they don't find a solution like we did just now, hotmail will have lots of room on their servers soon from all those. In fact i'm accusing them they don't mind as they are trying to give out paid accounts only anyway.
    If you're not using TDS get your trial as i'm sure this script is so small even with that evaluation version you can run it and try to access hotmail. (this i write for all)
    Please let me know if it helps.
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Tried some more things; interested to know if there are more people with the same problems or possible solutions in the meantime?
    I'm very sure Hotmail/MSN is very interested to know by now, being sure we two are not the only individuals who can't get in.
    Till now i did not have those problems on any other sites yet, or it should just be complete 404 pages and the kind which might be IE 6.0 problems in general (and i'm too lazy to try out other browsers all time if i'm not really urgently interested to go there).
    I keep to the home made browser, so some security matter inside the settings.
     
  25. Pretender

    Pretender Registered Member

    Joined:
    Apr 23, 2002
    Posts:
    670
    Location:
    Virtual Paradise
    I'm using IE6 SP1 with Windows ME. I had numerous problems since the start of November till a week ago or so. During that period.......I did notice that the critical updates had to be done (at least on my system) in the order that they were issued. My main problem, though, turned out to be that numerous .dll files were not the most current versions. They should have been, but there apparently was a problem with my original download/install of IE6 SP1. The following was the fix that I finally came up with and it worked for me:

    The following pertains to IE6 SP1 on a Windows ME system (but could work with other operating systems as well):

    There are certain files which apparently didn’t update properly on my first download/install of IE6 SP1 (which I had done a long time ago). I came across the files in an error message while attempting to get windows update to work. You need to check these files and make sure that the version number is greater than 6.0.2800.1100. If they aren’t then the following procedure should update them to the correct versions. Find them by doing an individual search in windows explorer, right click on the file, click on properties and, then, the version tab.

    DLL are the .dll files

    ACTXPRXY.dll, ADVPACK.dll, BROWSELC.dll, BROWSEUI.dll, DIGEST.dll, IEPEERS.dll, IMGUTIL.dll, INSENG.tll, MLANG.dll, MSHTML.dll, MSHTML.tlb, MSHTMLED.dll, SHDOCLC.dll, SHDOCVW.dll, SHFOLDER.dll, SHLWAPI.dll, URLMON.dll, WININET.dll, PNGFILT.dll. webcheck.dll also showed in the error message, but (after using the following procedure and checking to see if it updated) it shows 6.0.2600.0 as it’s version number.


    Download IE6 SP1 to desktop (even if you have IE6 SP1 already installed). Go offline and double click the IE6setup.exe file on desktop, choose custom install and click on the box preceding IE6 (which will put a check mark in it). Click on OK button or install button and it should update the 20 old files (which must have been a flaw in the IE6 SP1 original download/install that I had done). The following would be substituted with the appropriate critical updates which pertain to the system and IE version you use. Q328970 and Q324929 updates are for Windows me using IE6 SP1. Download Q328970.exe to your desktop and go offline and double click the Q328970.exe file on your desktop to install it, restart computer. Then download the Q324929.exe file to your desktop and go offline and double click the Q324929.exe file on your desktop to install it, restart computer. Go back on the internet and check. Both Q328970 and Q324929 should show up (after SP1) at internet explorer, help (on menu bar), about internet explorer, after update versions. Run windows update and see if it works okay.


    bob
     
Loading...
Thread Status:
Not open for further replies.