Critical New Microsoft VM Flaw Found

A critical flaw in the controversial Microsoft VM could allow an attacker to execute code on a victim's Windows system, Microsoft warned in a bulletin Wednesday night. The problem is fixed in a new version of the Microsoft VM.

The Microsoft VM is Microsoft's Java Runtime Environment that ships with most versions of Windows and Internet Explorer. The problem arises from the failure of a low-level process called the ByteCode Verifier to check for the presence of malicious code when a Java applet is being loaded.

"The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that when opened, would exploit the vulnerability. An attacker could then host this malicious Web page on a Web site, or could send it to a user in e-mail," Microsoft's security team explained in the bulletin (MS03-011).

Microsoft created a new build, 3810, of the Microsoft VM to fix the issue. Had Sun Microsystems succeeded in recent legal filings, Microsoft would not have been able to reissue the Microsoft VM.

Sun recently asked a federal judge to prevent Microsoft from updating its Microsoft VM, even in the case of security vulnerabilities. In those cases, Sun wanted Microsoft to be forced to distribute Sun's Java Runtime Environment instead of its own. The judge agreed with Sun on many issues, although not that one. In any case, the judge's decision was stayed pending appeal.

Last September, Microsoft fixed three other flaws in its Microsoft VM, including two critical flaws that also could have allowed attackers to execute code.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.