Flaw leaves Windows open to Java attack

Microsoft has warned of three flaws affecting its software, the most serious of which would allow an attacker to gain full control of a PC using Java applets.

The warnings, issued Wednesday, are related to the Microsoft Virtual Machine for running Java applets on Windows; a cross-site scripting bug in a component of Windows 2000 and Windows NT 4.0; and a denial-of-service bug affecting Proxy Server 2.0 and ISA Server.

With the three alerts, Microsoft has issued 12 new warnings so far this year.

The Virtual Machine (VM) flaw is the most serious, meriting a "critical" rating from Microsoft. VM ships with most versions of Windows and some versions of Internet Explorer, and is used to run programs called applets written in Sun Microsystems' Java language.

A VM component called the ByteCode Verifier does not correctly check for the presence of certain malicious code when an applet is being loaded, meaning that an attacker could slip malicious code onto a victim's PC. This malicious applet, which could be delivered via a Web page or an e-mail, could allow the attacker to run code on the PC, doing anything from erasing the hard drive to implanting a "back door" leaving the machine vulnerable to future attacks.

Microsoft said that Windows installations containing the VM include Windows 95, Windows 98 and 98SE, Windows ME, Windows NT 4.0, beginning with Service Pack 1, Windows 2000 and Windows XP.

The VM build 5.0.3802 up to and including build 5.0.3809 were tested and found to be affected, although earlier builds are probably also vulnerable, the company said. The newest builds, 3810 and later, should be downloaded and installed in order to eliminate the vulnerability. Instructions for downloading and installing the software can be found on Microsoft's Web site.

Microsoft noted that for the exploit to work, the attacker would have to entice the victim to view a malicious Web site or open

		News.Commentary Can Microsoft be secure? Improved security will depend upon a partnership among Microsoft, other software makers and end users.

a malicious e-mail. E-mail clients that place restrictions on HTML content in messages, such as some newer versions of Outlook, would prevent the attack from succeeding.

The second flaw relates cross-site scripting attacks on Microsoft Indexing Services for Windows 2000 and Windows NT 4.0. Cross-site scripting attacks were first publicized in February 2000 and can affect a variety of server-side software, enabling an attacker to insert malicious code into a victim's browsing session via a trusted Web site.

Microsoft said that a component of Indexing Services called CiWebHitsFile is vulnerable to a cross-site scripting attack. The company released a patch to fix it. Indexing Services is a search service integrated into Internet Information Server and Windows 2000.

Meanwhile, Microsoft's Proxy Server 2.0 and ISA Server contain a vulnerability that allows an attacker from within the network to put them out of commission using a specially crafted data packet.

The packet causes the software to hit 100 percent CPU utilization and stop responding to internal and external requests. While a reboot allows the software to function again, it is still vulnerable to the same attack.

Specifically, the two pieces of software each contain a flawed version of the Winsock Proxy service, which enables certain client-side applications to function as though they had a direct Internet connection, while routing their traffic through an internal server.

Microsoft released a patch for the bug on its Web site and noted that while the attack could shut the servers down, it did not allow a hacker to gain any higher privileges or compromise any content cached on the server.

ZDNet UK's Matthew Broersma reported from London.