The software giant issues alerts about eight Java Virtual Machine security holes that could allow hackers to access data or even wipe a hard drive clean.
4 min read
Microsoft late Wednesday issued a "critical" security alert for a
series of Java Virtual Machine bugs, one of which could allow a hacker
to steal information or reformat the hard drives of compromised
The alert, which relates to Microsoft's version of the JVM, comes a
week after Sun Microsystems asked a federal judge to issue an injunction compelling the software
titan to carry Sun's version of the JVM in the Windows XP operating system. Microsoft's
version of the JVM is based on 5-year-old Sun technology.
Microsoft gave the series of JVM glitches its highest alert rating because the extensive amount of damage a hacker could do if a computer is compromised. The Redmond, Wash.-based company identified eight vulnerabilities in all, rating one "critical," two as "important," two "moderate" and three "low."
The most serious of the security holes "could enable an attacker?s
Java applet to gain control over another user?s system," according to
the alert. "This would enable the attacker to take any desired
action on the user?s system; for instance, the attacker could add,
delete or change data on the user?s system; communicate with Web sites;
load and run programs; reformat the hard drive, and so forth."
The exploit is possible because of a flaw in the way Microsoft's JVM
handles software written to Microsoft?s Component Object Model (COM). "Although the Microsoft
(JVM) has security checks to prevent Java applets from invoking COM
objects, there is a method of invoking them that bypasses the checks,"
according to the security bulletin.
A hacker could use a Web site or HTML-based e-mail to begin the attack.
The two "important" flaws "could enable an attacker to read--but
not change, add or delete--files from another user?s system, and
potentially from other network shares that the user has read access
to," according to Microsoft's security alert. Both exploits would take advantage of a flaw in how
Microsoft's JVM handles the Java Applet tag. This would allow the
hacker to create a Java applet that loads from a different Web site
than the one the browser is accessing. The exploit would allow the
hacker to access, but not change, any local or network files a person
has rights to.
The first of the two "moderate" flaws would allow a hacker's Java
applet to pose as coming from another location, or domain, in a Web
browser that is different from where the browser says the user is. The
hacker would then be able to collect information, including login
names and passwords, using the fake Web site.
The second moderate exploit would take advantage of a flaw in
Microsoft's application programming interface (API) code for connecting
to databases. "This vulnerability could enable an attacker to access
databases in the guise of another user," according to the security
alert. "If successfully exploited, it would enable an attacker to read,
add, change or delete data in any data source the user has access
Two of the three "low" rated vulnerabilities would cause nuisances. One would prevent the JVM from running and another could
crash Internet Explorer. But the third one, which would allow a Java applet to
access supposedly secure system settings, would allow a hacker to
pilfer the user name.
Microsoft encourages all Windows users to update their JVM to a
newer version, which is available from the Windows Update Web site.
Microsoft issued two additional security alerts on Wednesday, one
that would allow a hacker to seize control over a compromised computer and
another that would let a hacker change group policies.
The first exploit, given the rating of important,
takes advantage of a flaw in a timer message sent at the end of a
"An attacker who successfully exploited this vulnerability could
gain unwarranted privileges on a system," according to a Microsoft
security bulletin. "In this case, the attacker could gain full
administrative privileges, thereby gaining the ability to take any
desired action on the machine, such as adding, deleting, or modifying
data on the system, creating or deleting user accounts, and adding
accounts to the local administrators group."
Microsoft rated the flaw important--not critical--because the hacker would
require some other kind of authorized access to the computer to fully
exploit the security bug. The problem affects Windows NT 4, Windows NT
4 Terminal Server Edition, Windows 2000 and Windows XP.
The final exploit, rated moderate, would let a hacker use the
Server Message Block protocol to change group policy settings on a
compromised computer. "By doing this, the attacker could take actions
such as adding users to the local administrators group or installing
and running code of his or her choice on the system," according to the
Microsoft security alert.
Windows XP systems with Service Pack 1 installed are not vulnerable
to this exploit, according to Microsoft. Patches are available for
Windows XP and
The new security problems come less than a week after Microsoft
raised to critical from moderate a
flaw affecting Internet Explorer. Security experts had sharply criticized Microsoft for downplaying
the seriousness of the security breach.
In late November, Microsoft grappled with an even more serious flaw,
affecting Internet Explorer and also the Internet Information Server
software, which potentially exposed
more than 4 million Web sites to hackers.