CERTVU:657625Microsoft Virtual Machine incorrectly parses the domain portion of URLs containing a colon
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
88.4%
Overview
Some versions of the Microsoft virtual machine (Microsoft VM) contain a flaw that could allow untrusted Java applets from an attacker’s site to be run instead of the trusted applet from the intended site.
Description
The Microsoft virtual machine (Microsoft VM) enables Java programs to run on Windows platforms. The Microsoft VM is included in most versions of Windows and Internet Explorer.
The Microsoft VM contains a flaw that incorrectly parses URLs if they contain a colon used to indicate the port number. The vulnerability results because it’s possible to create a URL that will cause the Microsoft VM to incorrectly determine the domain from which a Java applet was loaded, and conclude that it came from one web site when in fact it came from another. Specifically, if a URL is crafted in a particular format containing references to two different web sites, the VM will incorrectly process it and load a Java applet from an untrusted site while running it in the trusted site’s domain.
The crafted URL could be hosted on an attacker’s web site or introduced to the user via an HTML email.
Impact
Because the malicious applet would be located in the context of the legitimate site’s domain, it could potentially access any cookies that the legitimate site had placed on the victim user’s system. Additionally, any information the malicious applet solicited from the user could be relayed back to the attacker’s site instead of the intended site.
Solution
Apply a patch from the vendor
Microsoft has issued Security Bulletin MS02-069 addressing this vulnerability. Users are encouraged to follow the instructions outlined in the bulletin and apply the patches that it refers to.
Workarounds
Disable Java
- if the ability to run Java applets is not required or desired, configure your web browser to not execute them. Information about disabling Java in various web browsers can be found here.
Note that disabling Java in your web browser may not mitigate this vulnerability for Java programs that are invoked via another method.
Vendor Information
657625
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation __ Affected
Notified: November 26, 2002 Updated: December 18, 2002
Status
Affected
Vendor Statement
Microsoft Corporation’s statement can be found in Microsoft Security Bulletin MS02-069.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23657625 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Jouko Pynnonen for reporting this vulnerability.
This document was written by Chad R Dougherty.
Other Information
| CVE IDs: | CVE-2002-1286 |
|---|---|
| Severity Metric: | 7.36 Date Public: |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
88.4%