Bug leaves Windows open to Java attack

Microsoft has warned of three new flaws affecting its software, the most serious of which could allow an attacker to gain full control of a user's PC running a Java applet.

The three warnings involve the Microsoft Virtual Machine for running Java applets on Windows; a cross-site scripting bug in a component of Windows 2000 and Windows NT 4.0; and a denial-of-service bug affecting Proxy Server 2.0 and ISA Server.

With the three alerts, Microsoft has issued 12 new warnings so far this year. Late last month the company issued patches for Windows and IIS.

The Virtual Machine (VM) flaw is the most serious, meriting a "critical" rating from Microsoft. The VM ships with most versions of Windows and some versions of Internet Explorer, and is used to run programs called "applets" written in Sun Microsystems' Java language.

A VM component called the ByteCode Verifier does not correctly check for the presence of certain malicious code when the applet is being loaded, meaning that an attacker could slip malicious code onto a user's PC. This malicious applet, which could be delivered via a web page or an email, could allow the attacker to run code of his choice on the PC, doing anything from erasing the hard drive to implanting a "back door" leaving the machine vulnerable to future attacks.

Microsoft said that Windows installations containing the VM include Windows 95, Windows 98 and 98SE, Windows ME, Windows NT 4.0, beginning with Service Pack 1, Windows 2000 and Windows XP.

VM builds 5.0.3802 up to and including build 5.0.3809 were tested and found to be affected, although earlier builds are probably also vulnerable, the company said. The latest builds, 3810 and later, should be downloaded and installed in order to eliminate the vulnerability. Instructions for downloading and installing the software can be found on Microsoft's website.

Microsoft noted that for the exploit to work, the attacker would have to entice the user to view a malicious website or open a malicious email. Email clients that place restrictions on HTML content in messages, such as some newer versions of Outlook, would prevent the attack from succeeding.

The cross-site scripting (CSS) bug affects Microsoft Indexing Services for Windows 2000 and Windows NT 4.0. Cross-site scripting attacks were first publicised in February of 2000, and can affect a variety of different server-side software, enabling an attacker to insert malicious code into a user's browsing session via a trusted Web site.

Microsoft said that a component of Indexing Services called CiWebHitsFile is vulnerable to a CSS attack, and released a patch to fix it. Indexing Services is a search service integrated into Internet Information Server and Windows 2000.

Microsoft's Proxy Server 2.0 and ISA Server contain a vulnerability that allows an attacker from within the network to put them out of commission using a specially crafted data packet.

The packet causes the software to hit 100 percent CPU utilisation and stop responding to internal and external requests. While a reboot allows the software to function again, it is still vulnerable to the same attack.

Specifically, the two pieces of software both contain a flawed version of the Winsock Proxy service, which enables certain client-side applications to function as though they had a direct Internet connection, while routing their traffic through an internal server.

Microsoft released a patch for the bug on its Web site, and noted that while the attack could shut the servers down, it did not allow a hacker to gain any higher privileges or compromise any content cached on the server.

Matthew Broersma writes for ZDNet UK