TechNet Home > TechNet Security > Bulletins

Microsoft Security Bulletin (MS00-011)

Patch Available for "VM File Reading" Vulnerability

Originally Posted: February 18, 2000 

Summary

Microsoft has released a patch that eliminates a security vulnerability in the Microsoft® virtual machine (Microsoft VM). The vulnerability could enable a malicious web site operator to read files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet. In both cases the malicious applet would have to know the exact name and location of the files. Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-011.mspx 

Top of sectionTop of section

General Information

Issue

The Microsoft VM is a virtual machine for the Win32® operating environment. It runs atop Microsoft Windows® 95, 98, or Windows NT®, or Windows 2000. It ships as part of each operating system, and also as part of Microsoft Internet Explorer.

The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read - but not change, delete or add - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet. The malicious user would need to know the exact path and filename of the files he wished to read.

Affected Software Versions

Versions of the Microsoft VM are identified by build numbers, which can be determined using the JVIEW tool, as discussed in the FAQ. The following builds of the Microsoft VM are affected:

All builds in the 2000 series.

All builds in the 3100 series.

All builds in the 3200 series.

Note: The Microsoft VM ships as part of several products. However, the primary ship vehicle is Internet Explorer.

Vulnerability Identifier: CVE-2000-0162

Top of sectionTop of section

Patch Availability

New versions of the Microsoft VM that include a fix for the vulnerability can be downloaded from the following location:

3000 series builds: http://windowsupdate.microsoft.com 

Note: 2000 series builds are shipped as part of Internet Explorer 4.x and are currently not supported; 3100 series builds are shipped as part of Internet Explorer 5; 3200 series builds are shipped as part of Internet Explorer 5.01. However, customers may upgrade the Microsoft VM on their machines independent of the browser, and the Microsoft VM also ships as part of many other applications, so it is possible for the actual build number to be higher than the one associated with the version of IE that is installed on the machine. In such cases, customers should determine what version of the patch to install based on the build number, not on the version of IE.

Note: Additional security patches are available at the Microsoft Download Center 

Top of sectionTop of section

More Information

Please see the following references for more information related to this issue.

Frequently Asked Questions: Microsoft Security Bulletin MS00-011, http://www.microsoft.com/technet/security/bulletin/fq00-011.mspx.

Microsoft Knowledge Base (KB) article 253562, "VM File Reading" Security Vulnerability, http://support.microsoft.com/default.aspx?scid=kb;en-us;253562.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.mspx.

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.

Acknowledgments

Microsoft thanks Hideo Nakamura of NEC in Tokyo, Japan for reporting the VM File Reading vulnerability to us and working with us to protect customers.

Revisions

February 18, 2000: Bulletin Created.

V2.0 (March 10, 2003): Introduced versioning and Update made to download location.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Top of sectionTop of section

Top of pageTop of page