Microsoft VM ActiveX Component Vulnerability

The Microsoft virtual machine (Microsoft VM) includes a security vulnerability that may allow script code in a Web page or HTML-based e-mail message access to ActiveX controls that should not be available in those contexts. This could allow a malicious web site operator to take any desired action on a user's machine.

Issue

The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft® Windows 95, 98, Windows Me, Windows NT 4.0, or Windows 2000. It ships as part of each operating system, and also as part of Microsoft Internet Explorer. The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet, on a malicious web site to take any desired action on a visiting user's machine.

The Microsoft virtual machine (Microsoft VM) contains functionality that allows ActiveX controls to be created and manipulated by Java applications or applets. This functionality is intended to only be available to stand-alone Java applications or digitally signed applets. However, this vulnerability allows ActiveX controls to be created and used from a web page, or from within a HTML based e-mail message, without requiring a signed applet. If a user visited a malicious web site that exploited this vulnerability, a Java applet on one of the web pages could run any desired ActiveX control, even ones that are marked as unsafe for scripting. This would enable the malicious web site operator to take any desired action on the user's machine.

Affected Products

• Microsoft VM 2000 & 3000 series

Download

Patch: http://www.microsoft.com/java/vm/dl_vm40.htm

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: October 30, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<