Help and Support
 

powered byLive Search

MS03-011: Flaw in the Microsoft VM could enable system compromise

View products that this article applies to.
Article ID:816093
Last Review:December 3, 2007
Revision:16.2

Technical Update

July 17, 2003: This article was updated to add information about Windows 2000 Service Pack 4 and Windows Server 2003.

November 10, 2003: The "Restart Requirement" section was updated.

April 23, 2004: This article was updated to remove information about Windows 2000 Service Pack 4.
On This Page

SYMPTOMS

The Microsoft VM is a virtual machine for the Win32operating environment. The Microsoft VM is shipped in most versions of Windows and in most versions of Microsoft Internet Explorer. A new security vulnerability has been reported that affects the ByteCode Verifier component of the Microsoft VM. It occurs because the ByteCode verifier does not correctly look for certain malicious code when a Java applet is being loaded. The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that would exploit this vulnerability when it was opened. An attacker could then host this malicious Web page on a Web site or could send it to a user in e-mail. The present Microsoft VM has been updated to include a fix for this newly reported security vulnerability. This version of VM includes all previously released fixes to the VM.

Back to the top

RESOLUTION

To resolve this problem, install the 816093 Microsoft VM Security Update package. This update upgrades the Microsoft VM to version 5.00.3810. All versions of the Microsoft VM earlier than 5.00.3810 are affected by the vulnerabilities that are listed in the "Symptoms" section of this article.

Back to the top

Download information

Windows Server 2003, Windows XP, Windows NT, Windows 98, Windows ME, Small Business Server 2003, and Windows 2000 (except for Windows 2000 SP2 and SP3)

To download the patch to update existing installations of the Microsoft VM, visit the Microsoft Windows Update Web site. Windows Update detects what version of Windows you are running and offers the appropriate patch. To locate the update, visit the "Critical Updates" section of the Microsoft Windows Update Web site:
http://windowsupdate.microsoft.com (http://windowsupdate.microsoft.com)

For Windows 2000 SP2 and SP3 only

The following files are available for download from the Microsoft Download Center:
DownloadDownload the 816093 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=DD870EAC-69EF-4287-9A07-6C740F162644&displaylang=en)
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 (http://support.microsoft.com/kb/119591/) How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Back to the top

Deployment Information

Network administrators can download this update from the Windows Update Catalog to deploy to multiple computers that already have the Microsoft VM installed:
http://v4.windowsupdate.microsoft.com/catalog (http://v4.windowsupdate.microsoft.com/catalog)
If you have to obtain this update to install later on one or more than one computer, search for this article ID number by using the Advanced Search Options in the Windows Update Catalog. For more information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:
323166 (http://support.microsoft.com/kb/323166/) How to download Windows updates and drivers from the Windows Update Catalog
Notes
If you are running Windows Server 2003, Windows XP, or Windows 2000 SP4 without the Microsoft VM installed, you cannot install this update to the Microsoft VM. If you try to install this update to the Microsoft VM on a computer that does not already have the Microsoft VM installed that is running Windows Server 2003, Windows XP, or Windows 2000 SP4, you receive the following message:
Microsoft VM
This setup will only upgrade over an existing version of the Microsoft VM.
If you click OK, you receive the following message:
Microsoft VM
The installation is complete.
This message is incorrect. The Microsoft VM is not installed if you do not already have the Microsoft VM installed.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
820101 (http://support.microsoft.com/kb/820101/) Frequently asked questions about the Microsoft VM and Windows 2000 Service Pack 4
813926 (http://support.microsoft.com/kb/813926/) Differences between Windows XP Service Pack 1 and Windows XP Service Pack 1a
To download this update for computers that have the Microsoft VM installed that are running Windows Server 2003, Windows XP, or Windows 2000 SP4, or for computers that are running Windows NT 4.0, Windows Millennium Edition (Me), Windows 98 Second Edition, or Windows 98, select Windows Server 2003, Windows XP, Windows 2000 SP4, Windows Millennium Edition, or Windows 98 for your operating system.
Windows NT 4.0-based computers do not have access to the Windows Update Catalog. If you have to download a Windows NT 4.0 package to install on multiple computers or to install later, access the Windows Update catalog by using a computer than runs Windows 98, Windows Millennium Edition, Windows 2000, Windows XP, or Windows Server 2003, and then select Windows 98, Windows Millennium Edition, Windows 2000 SP4, Windows Server 2003, or Windows XP for your operating system. This security update will install on computers that already have the Microsoft VM installed that are running Windows 98, Windows Millennium Edition, Windows 2000 SP4, Windows Server 2003, Windows XP, or Windows NT 4.0. Administrators who do not have access to a computer that is running Windows XP, Windows 98, Windows Millennium Edition, Windows 2000, or Windows Server 2003 can contact Microsoft Product Support Services (PSS) to obtain the patch. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)
For more information about how to install the Microsoft VM silently without restarting your computer, click the following article number to view the article in the Microsoft Knowledge Base:
304930 (http://support.microsoft.com/kb/304930/) How to install Microsoft Virtual Machine updates silently without restarting your computer

Prerequisites

This update will only install on computers that already have an earlier version of the Microsoft VM installed. Windows 2000 SP2 and Windows 2000 SP3 version of this Microsoft VM update requires Windows 2000 SP2 or later and cannot be installed on any other operating system. To download this update for Windows 2000 SP2 or Windows 2000 SP3 from the Windows Update Catalog, select either Windows 2000 SP2 or Windows 2000 SP3 for your operating system. For more information about how to obtain Windows 2000 SP2 or later, click the following article number to view the article in the Microsoft Knowledge Base:
260910 (http://support.microsoft.com/kb/260910/) How to obtain the latest Windows 2000 service pack
If you are using Windows NT 4.0, you must have Windows NT 4.0 SP3 or later installed to install this update. For more information about how to obtain the latest Windows NT 4.0 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
152734 (http://support.microsoft.com/kb/152734/) How to obtain the latest Windows NT 4.0 service pack

Restart Requirement

You must restart your computer after you install this update if you are updating the Microsoft VM build 3802 or earlier. (The Microsoft VM build 3802 is included with Windows 2000 SP2.) The update also requires an administrator logon after the restart to complete the installation. You do not have to restart your computer if you install the Java VM update over build 3805 through build 3810. (The Microsoft VM build 3805 is included with Windows 2000 SP3.)

Removal Information

This patch contains system files and protected components and therefore cannot be removed.

Patch Replacement Information

This update replaces the following updates:
http://www.microsoft.com/technet/security/bulletin/MS99-031.mspx (http://www.microsoft.com/technet/security/bulletin/MS99-031.mspx)
http://www.microsoft.com/technet/security/bulletin/MS99-045.mspx (http://www.microsoft.com/technet/security/bulletin/MS99-045.mspx)
http://www.microsoft.com/technet/security/bulletin/MS00-011.mspx (http://www.microsoft.com/technet/security/bulletin/MS00-011.mspx)
http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx (http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx)
http://www.microsoft.com/technet/security/bulletin/MS00-081.mspx (http://www.microsoft.com/technet/security/bulletin/MS00-081.mspx)
http://www.microsoft.com/technet/security/bulletin/MS02-013.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-013.mspx)
http://www.microsoft.com/technet/security/bulletin/MS02-052.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-052.mspx)
http://www.microsoft.com/technet/security/bulletin/MS02-069.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-069.mspx)

File Information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
   Date         Time   Version     Size       File name
   ------------------------------------------------------
   13-Mar-2003  14:51                  2,678  Classes.cer
   13-Mar-2003  14:51              5,751,849  Classes.zip
   17-Mar-2003  19:05  5.0.3810.0    404,752  Javart.dll
   13-Mar-2003  18:33  5.0.3810.0    172,304  Jview.exe
   17-Mar-2003  19:05  5.0.3810.0    946,960  Msjava.dll
   13-Mar-2003  14:51                  2,678  Msjdbc.cer
   13-Mar-2003  14:51                137,482  Msjdbc.zip
   20-Mar-2002  08:53                 10,957  Osp.zip
Note After you install the updated VM, all the .zip files will have different names. This is typical behavior and can be ignored. Also note that only some of the files in the Zip package have been changed for this release. However, these files cannot be packaged individually.

Back to the top

WORKAROUND

There are a number of workarounds that you may be able to apply temporarily while you evaluate and test the new Microsoft VM:
In an enterprise environment, you can use application filters at the firewall to examine and block mobile code.
You can use a later Microsoft e-mail client computer, such as a computer that is running Microsoft Outlook 2002 or Outlook Express 6. By default, the e-mail attack vector is prevented in later versions of Outlook. If you are using earlier Microsoft Outlook clients such as clients that are running Outlook 98 or 2000, the e-mail vector is blocked if the Outlook Email Security Update is used.
You can prevent Java applets from being run in the Internet Explorer Internet zone. Note that if you disable Java applets, your ability to view certain Web pages may be affected. To disable Java applets:
1.On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
2.In the Settings box, click Disable Java under Java Permissions, click OK, and then click OK again.

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Back to the top

MORE INFORMATION

To determine the Microsoft VM build number on a computer that is running Windows 98, Windows 98 Second Edition, or Windows Millennium Edition, follow these steps:
1.Click Start, and then click Run.
2. In the Open box, type command, and then click OK.
3.At the command prompt, type jview, and then press ENTER.

The version information appears on the first line as "Version n.nn.nnnn," where the last four digits are the build number. For example, 5.00.3802 is Microsoft VM build 3802.
To determine the Microsoft VM build number on a computer running Windows NT 4.0, Windows 2000, or Windows XP, follow these steps:
1.Click Start , and then click Run.
2.In the Open box, type cmd, and then click OK.
3.At the command prompt, type jview, and then press ENTER.

Notice that the version information appears on the first line as "Version n.nn.nnnn," where the last four digits are the build number. For example, 5.00.3802 is Microsoft VM build 3802.
For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx)

Back to the top

REFERENCES

For more information about how this patch applies to Windows 2000 Service Pack 4, click the following article number to view the article in the Microsoft Knowledge Base:
820101 (http://support.microsoft.com/kb/820101/) Frequently asked questions about the Microsoft VM and Windows 2000 service pack 4
For more information about the differences between Windows XP Service Pack 1 and Windows XP Service Pack 1a, click the following article number to view the article in the Microsoft Knowledge Base:
813926 (http://support.microsoft.com/kb/813926/) Differences between Windows XP Service Pack 1 and Windows XP Service Pack 1a

Back to the top

APPLIES TO
Microsoft Windows Server 2003, 64-Bit Datacenter Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows XP Tablet PC Edition
Microsoft Windows 2000 Service Pack 2
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Advanced Server
Microsoft Windows Millennium Edition
Microsoft Windows NT Server 4.0 Standard Edition
Microsoft Windows NT Workstation 4.0 Developer Edition
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 98 Second Edition
Microsoft Windows 98 Standard Edition
Microsoft Windows Small Business Server 2003 Premium Edition
Microsoft Windows Small Business Server 2003 Standard Edition

Back to the top

Keywords: 
kbdownload kbbug kbfix kbsecvulnerability kbqfe kbenv kbsecurity kbsecbulletin KB816093

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.