Critical New Microsoft VM Flaw Found

A critical flaw in the controversial Microsoft VM could allow an attacker to execute code on a victim's Windows system, Microsoft warned in a bulletin Wednesday night. The problem is fixed in a new version of the Microsoft VM.

The Microsoft VM is Microsoft's Java Runtime Environment that ships with most versions of Windows and Internet Explorer. The problem arises from the failure of a low-level process called the ByteCode Verifier to check for the presence of malicious code when a Java applet is being loaded.

"The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that when opened, would exploit the vulnerability. An attacker could then host this malicious Web page on a Web site, or could send it to a user in e-mail," Microsoft's security team explained in the bulletin (MS03-011).

Microsoft created a new build, 3810, of the Microsoft VM to fix the issue. Had Sun Microsystems succeeded in recent legal filings, Microsoft would not have been able to reissue the Microsoft VM.

Sun recently asked a federal judge to prevent Microsoft from updating its Microsoft VM, even in the case of security vulnerabilities. In those cases, Sun wanted Microsoft to be forced to distribute Sun's Java Runtime Environment instead of its own. The judge agreed with Sun on many issues, although not that one. In any case, the judge's decision was stayed pending appeal.

Last September, Microsoft fixed three other flaws in its Microsoft VM, including two critical flaws that also could have allowed attackers to execute code.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Office Mobile Apps To End as Microsoft Highlights New Office App

    Microsoft plans to end support for Windows 10 Mobile applications on Jan. 12, 2021, according to a Friday announcement.

  • Is Microsoft Finally Reinventing Office?

    Microsoft is testing out a new technology called "Fluid Framework." It could mean that Brien's dream of one Office app to rule them all might soon become reality.

  • Azure Active Directory Connect Preview Adds Support for Disconnected AD Forests

    Microsoft on Thursday announced a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service that promises to bring together scattered Active Directory "forests."

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.