[SECURITY-L] [0_46533_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com: Microsoft Security Bulletin MS03-011:Flaw in Microsoft VM Could Enable System Compromise (816093)]

Silvana Mieko Misuta mieko em ccuec.unicamp.br
Qui Abr 10 09:18:23 -03 2003 

----- Forwarded message from Microsoft <0_46533_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_46533_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Microsoft Security Bulletin MS03-011:Flaw in Microsoft VM Could Enable System Compromise (816093)
To: <mieko em ccuec.unicamp.br>
Date: Thu, 10 Apr 2003 05:00:12 -0700
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- -------------------------------------------------------------------

Title:      Flaw in Microsoft VM Could Enable System Compromise 
	    (816093)
Date:       09 April 2003
Software:   Microsoft VM 
Impact:     Allow attacker to execute code of his or her choice
Max Risk:   Critical
Bulletin:   MS03-011

Microsoft encourages customers to review the Security Bulletins 
at: 

http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/security/security_bulletins/ms03-011.asp
- -------------------------------------------------------------------


Issue:
======
The Microsoft VM is a virtual machine for the Win32(r) operating 
environment. The Microsoft VM is shipped in most versions of 
Windows, as well as in most versions of Internet Explorer. 

The present Microsoft VM, which includes all previously released 
fixes to the VM, has been updated to include a fix for the newly 
reported security vulnerability. This new security vulnerability 
affects the ByteCode Verifier component of the Microsoft VM, and 
results because the ByteCode verifier does not correctly check for 
the presence of certain malicious code when a Java applet is being 
loaded. The attack vector for this new security issue would likely 
involve an attacker creating a malicious Java applet and inserting 
it into a web page that when opened, would exploit the 
vulnerability. An attacker could then host this malicious web page 
on a web site, or could send it to a user in e-mail. 


Mitigating Factors:
====================

- - In order to exploit this vulnerability via the web-based attack 
vector, the attacker would need to entice a user into visiting a 
web site that the attacker controlled. The vulnerability themselves 
provide no way to force a user to a web site. 

- - Java applets are disabled within the Restricted Sites Zone. As a 
result, any mail client that opened HTML mail within the Restricted 
Sites Zone, such as Outlook 2002, Outlook Express 6, or Outlook 98 
or 2000 when used in conjunction with the Outlook Email Security 
Update, would not be at risk from the mail-based attack vector. 

- - The vulnerability would gain only the privileges of the user, so 
customers who operate with less than administrative privileges 
would be at less risk from the vulnerability. 

- - Corporate IT administrators could limit the risk posed to their 
users by using application filters at the firewall to inspect and 
block mobile code. 


Risk Rating:
============
Critical

Patch Availability:
===================
A patch is available to fix this vulnerability. Please read the 
Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-011.asp
http://www.microsoft.com/security/security_bulletins/ms03-11.asp

for information on obtaining this patch.

- ----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS 
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, 
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS 
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME 
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR 
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION 
MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPpRYWI0ZSRQxA/UrAQEXiwgAgvUzIpThMuGXB4RjSMCXVHV2wI7dT6/n
aWTNS9BBwypERdcr8L4N3oCpgyWb4DPNCCPTMjHWZ4jIEn5pTs6W8MoPT3a3RGSX
SYkdqj5eOR0/0gh7ZeZZS4UU3hFvi4we2M7opxsTtTjFhOU/GhxESQZlRVyLyu5a
OCvj7eiY4zor9lgVp8uqKpu2WLX3Ymy6+kHRfAMzuW9sS2f6AfsFIs/NBH5K0Bhi
kENM2cAYXwGtvNf6TyYbCG5fAWD2vAOMqOf5vTQCfQrezUm0dwMEvQc6G6VYB9Uw
gtfp7iaDRAe9TdsjqBaiTZnxelH4VOT0NPwXn4cocnEut+540WM7dw==
=I/mL
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L