CERTVU:447569Microsoft Windows Virtual Machine (VM) ByteCode Verifier fails to properly check Java applets for malicious code
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.059 Low
EPSS
Percentile
93.5%
Overview
The Microsoft VM bytecode verifier fails to check for certain malicious code in a Java applet.
Description
The Microsoft VM bytecode verifier fails to check for certain malicious code in a Java applet. If an intruder can convince a victim to run a malicious Java applet, the intruder could run arbitrary code on the victim’s machine. For more information, please see Microsoft Security Bulletin MS03-011.
Impact
After convincing a victim to download and run a malicious Java applet, an intruder could run arbitrary code with the privileges of the victim.
Solution
Apply a patch as described in Microsoft Security Bulletin MS03-011.
In addition to applying the patch, we strongly recommend the security updates to Microsoft Outlook as described in <http://office.microsoft.com/Downloads/2000/Out2ksec.aspx>.
Vendor Information
Javascript is disabled. Click here to view vendors.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.microsoft.com/technet/security/bulletin/MS03-011.asp>
- <http://www.microsoft.com/security/security_bulletins/ms03-011.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-045.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-031.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms99-031.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-011.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-081.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-013.asp>
- <http://office.microsoft.com/Downloads/2000/Out2ksec.aspx>
Acknowledgements
Thanks to Microsoft for reporting and correcting this vulnerability.
This document was written by Shawn V Hernan based on information provided by Microsoft in Microsoft Security Bulletin MS03-011.
Other Information
| CVE IDs: | CVE-2003-0111 |
|---|---|
| Severity Metric: | 2.25 Date Public: |
References
office.microsoft.com/Downloads/2000/Out2ksec.aspx
www.microsoft.com/security/security_bulletins/ms03-011.asp
www.microsoft.com/technet/security/bulletin/MS03-011.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-011.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-081.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-013.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-031.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms99-031.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-045.asp
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.059 Low
EPSS
Percentile
93.5%