Microsoft has upgraded the severity of a flaw in its Virtual Machine for Windows from moderate to critical because it could allow attackers to gain control of affected systems.
This is the second time in 10 days that Microsoft has upgraded the severity of a vulnerability. Last week, Microsoft backtracked on the seriousness of a flaw in Internet Explorer after criticism arose from security researchers.
The critical virtual machine flaw is one of eight vulnerabilities in the VM that Microsoft has announced. The Microsoft VM allows Windows systems to run applications written in the Java programming language.
Of the vulnerabilities, Microsoft is calling only one "critical." The risk level of the others ranges from "important" to "low." All of the vulnerabilities can be exploited similarly, either through specially designed Web sites or through HTML e-mails, Microsoft said in an advisory. Certain mail clients such as Outlook Express 6 and Outlook 2002 would block these e-mail messages because Java is disabled by default. Outlook 98 and 2000 would also block them if the Outlook E-mail Security Update has been installed.
A few of the flaws only pose a nuisance threat, such as causing Internet Explorer to crash or preventing Web sites from running correctly on a Web browser. Other vulnerabilities are more serious and could allow an attacker to read files on an affected system. The most serious vulnerability could allow an untrusted Java applet to access Component Object Model objects. Accessing such objects could allow an attacker to gain control of a system.
The ease of exploiting the vulnerabilities makes them especially serious, said Marc Maiffret, chief hacking officer at eEye Digital Security of Aliso Viejo, Calif.
"Someone would just need a good understanding of Java, Java applets, and how Internet Explorer and the Microsoft Virtual Machine function," he said. "These flaws are not like buffer overflows, where it requires a little bit more in-depth understanding of how a system operates, with memory management, etc."
Microsoft has produced a new version of the VM that includes fixes for the eight vulnerabilities. As a stopgap measure, Maiffret suggests turning off Internet Explorer Java permissions. Such a measure shouldn't be too painful because Web sites are moving away from Java in favor of generic HTML, server-side scripting and various other active content technologies such as Macromedia Inc.'s Flash software, he said.
The VM comes installed on Microsoft Windows 95, Windows 98 and 98SE Windows Millennium, Windows NT 4.0 (beginning with Service Pack 1), Windows 2000 and Windows XP (beginning with Service Pack 1). The application also is part of many versions of Internet Explorer.