Thank you to eaglebtc for the links :)
Title: 04 March 2002 Cumulative VM Update
Released: 04 March 2002
Revised: 18 March 2002 (version 2.0)
Software: Microsoft Virtual Machine
Impact: Information Disclosure, run code of an attacker's choice
Max Risk: Critical
Reason for Revision:
====================
On March 4, 2002, Microsoft released the first version of this bulletin. On March 18, 2002, Microsoft re-released this bulletin to make customers aware of an additional vulnerability that is eliminated by the updated VM (Microsoft VM build 3805). Customers who have previously installed the new build do not need to take any additional action.
Issue:
======
The Microsoft VM is a virtual machine for the Win32(r) operating environment. The Microsoft VM is available for Windows 95, Windows 98, ME, Windows NT(r) 4.0, Windows 2000, and Windows XP. It is also available as part of Internet Explorer 6 and earlier.
A new build of the VM (build 3805) is available, which eliminates two security vulnerabilities. The first vulnerability is the result of a flaw affecting how Java requests for proxy resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attacker's choice.
The second vulnerability is a new discovered variant of the "Virtual Machine Verifier" issue first discussed in MS99-045. Like most programming languages, the Java language provides the means to convert types by means of casting operations. Most commonly, these are used to convert data types, although other more complex type conversion is possible. A flaw exists in the security checks on casting operations within the Microsoft VM. A vulnerability results because it is possible for an attacker to exploit this flaw and use it to execute code outside of the sandbox. This code would execute as in the context of the user, and would only be limited by those constraints which govern the user herself.
The flaw only affects Java applets, it does not affect Java applications. To mount a successful attack, the malicious user would have to specially craft a Java applet at the binary level, post it on his site, and entice the intended target to visit his site.
Download: MS Java VM, build 3805 for 95, 98, Me, NT4, XP [All supported language versions included]
Download: MS Java VM, build 3805 for Windows 2000 (Hotfix) - [SP1 or SP2 required, select from language]
Download: MS Java VM, debug classes only (for 1337 developers)
News source: Microsoft Technet Security Bulletin - MS02-013 - 04 March 2002 Cumulative VM Update
Title: 04 March 2002 Cumulative VM Update
Released: 04 March 2002
Revised: 18 March 2002 (version 2.0)
Software: Microsoft Virtual Machine
Impact: Information Disclosure, run code of an attacker's choice
Max Risk: Critical
Reason for Revision:
====================
On March 4, 2002, Microsoft released the first version of this bulletin. On March 18, 2002, Microsoft re-released this bulletin to make customers aware of an additional vulnerability that is eliminated by the updated VM (Microsoft VM build 3805). Customers who have previously installed the new build do not need to take any additional action.
Issue:
======
The Microsoft VM is a virtual machine for the Win32(r) operating environment. The Microsoft VM is available for Windows 95, Windows 98, ME, Windows NT(r) 4.0, Windows 2000, and Windows XP. It is also available as part of Internet Explorer 6 and earlier.
A new build of the VM (build 3805) is available, which eliminates two security vulnerabilities. The first vulnerability is the result of a flaw affecting how Java requests for proxy resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attacker's choice.
The second vulnerability is a new discovered variant of the "Virtual Machine Verifier" issue first discussed in MS99-045. Like most programming languages, the Java language provides the means to convert types by means of casting operations. Most commonly, these are used to convert data types, although other more complex type conversion is possible. A flaw exists in the security checks on casting operations within the Microsoft VM. A vulnerability results because it is possible for an attacker to exploit this flaw and use it to execute code outside of the sandbox. This code would execute as in the context of the user, and would only be limited by those constraints which govern the user herself.
The flaw only affects Java applets, it does not affect Java applications. To mount a successful attack, the malicious user would have to specially craft a Java applet at the binary level, post it on his site, and entice the intended target to visit his site.
Download: MS Java VM, build 3805 for 95, 98, Me, NT4, XP [All supported language versions included] Download: MS Java VM, build 3805 for Windows 2000 (Hotfix) - [SP1 or SP2 required, select from language] Download: MS Java VM, debug classes only (for 1337 developers) News source: Microsoft Technet Security Bulletin - MS02-013 - 04 March 2002 Cumulative VM Update
"We have strong relationships with many of the state attorneys general," said Microsoft spokesman Jim Desler. "We work with them on various activities and initiatives. On this issue, we agree to disagree. While the states do have a role in antitrust enforcement, the non-settling states stepped outside the boundaries of that role when they chose to pursue a different course from the Justice Department, resulting in conflicting national competition policy."
In making the filing, the states are trying to protect their sovereignty over antitrust matters, something a dismissal could potentially undermine, said legal experts.
"There are a lot of us who, having done antitrust defense, would like to see this whole dual-sovereignty issue resolved," said Emmett Stanton, an antitrust lawyer with Fenwick & West in Palo Alto, Calif. "If there was a case to challenge this, this would be the one."
The "friends of court" briefs filed by the 25 states were not expected, but a third brief from the litigating states came as no surprise. The states rebutted Microsoft's request more in the context of the overall antitrust case than in regard to the sovereignty issue.
They argued that Microsoft's request is "effectively, a motion to set aside the Court of Appeals' mandate."
In June 2000, seven judges unanimously upheld eight separate antitrust violations against Microsoft.
The filings could give the litigating states important air cover as they return to court next week for what could be as much as eight weeks of testimony. They are looking for stiffer sanctions than those proposed by the Justice Department and the settling states. The settlement largely puts restrictions on Microsoft's business practices. The litigating states also want restrictions on how Microsoft develops and deploys software.
While overseeing the settlement proceeding, Kollar-Kotelly must weigh whether the settlement meets the standard demanded by the Nixon-era Tunney Act. That law requires that a settlement be in the public interest and that no backroom dealmaking influence the process. Kollar-Kotelly could reject or approve the proposed deal at any time.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.