Critical New Microsoft VM Flaw Found

A critical flaw in the controversial Microsoft VM could allow an attacker to execute code on a victim's Windows system, Microsoft warned in a bulletin Wednesday night. The problem is fixed in a new version of the Microsoft VM.

The Microsoft VM is Microsoft's Java Runtime Environment that ships with most versions of Windows and Internet Explorer. The problem arises from the failure of a low-level process called the ByteCode Verifier to check for the presence of malicious code when a Java applet is being loaded.

"The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that when opened, would exploit the vulnerability. An attacker could then host this malicious Web page on a Web site, or could send it to a user in e-mail," Microsoft's security team explained in the bulletin (MS03-011).

Microsoft created a new build, 3810, of the Microsoft VM to fix the issue. Had Sun Microsystems succeeded in recent legal filings, Microsoft would not have been able to reissue the Microsoft VM.

Sun recently asked a federal judge to prevent Microsoft from updating its Microsoft VM, even in the case of security vulnerabilities. In those cases, Sun wanted Microsoft to be forced to distribute Sun's Java Runtime Environment instead of its own. The judge agreed with Sun on many issues, although not that one. In any case, the judge's decision was stayed pending appeal.

Last September, Microsoft fixed three other flaws in its Microsoft VM, including two critical flaws that also could have allowed attackers to execute code.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus