Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-031)
What's this bulletin about?
Microsoft Security Bulletin MS99-031 announces the availability of a patch new version of the Microsoft VM that eliminates a security vulnerability. The vulnerability could allow a Java program on a web page to take unauthorized actions against a user who visited the page. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
A web-hosted Java program could take unauthorized, potentially malicious actions against visitors to the web site. The specific actions that could be taken are limited only by the privileges of the user. If a user were web browsing in an account that had few privileges on the computer, the controls might be able to cause little damage; on the other hand, if a user in a highly-privileged account browsed an affected web page, the controls would have all of the user's significant privileges on the local machine. Examples of the type of actions that could be taken in most cases include reading, writing, and deleting files, reformatting the hard drive, or copy data to/from a web page.
Are all Java programs affected by this vulnerability?
No. There are two general classes of Java programs: Java applications, which are hosted on a local machine and run like any other program, and Java applets, which are hosted on web sites and run when a web site visitor arrives at a particular page. Java applets are treated differently from Java applications. Because they are untrusted code, the virtual machine runs them in a "sandbox" that restricts what they are allowed to do. In general, the sandbox is designed to prevent a Java applet from making any changes to the data on the user's computer. The vulnerability at issue here involves the sandboxing function, and so affects only Java applets.
What's the vulnerability?
A scenario has been identified through which a Java applet could escape the sandbox and be able to perform normally-unauthorized functions on a user's computer. Exploiting the vulnerability would only be possible through a very carefully-managed series of steps, and could not happen accidentally. However, if a malicious web site operator hosted a Java applet that exploited this security vulnerability, it would be able to take virtually any action on the computer of a user who visited the site.
Does disabling Java applets in IE protect against this vulnerability?
Yes. If you've disabled Java applets, they cannot run and you cannot be affected by this vulnerability. Microsoft recommends that you consider upgrading to the new version even if you have disabled Java applets in IE, as you may decide later to re-enable Java support.
"How do I know if I have a version of the Microsoft VM that has the vulnerability?
The Microsoft VM ships as part of a number of Microsoft products, but by far the most prevalent ship vehicle is Internet Explorer. If you have Internet Explorer 4.0 or 5 on your machine, you definitely have an affected version of Microsoft VM and should consider upgrading to the new version.
However, the Microsoft VM also ships as part of a small number of other products, such as Microsoft Visual Studio. If you have installed such a product, you could have an affected version of the Microsoft VM even if you do not have IE 4.0 or 5 on your machine. If you suspect that this may be the case, you can consult the build number of Microsoft VM on your machine and determine whether you have an affected build or not. Here's how to do this:
| • | Open a command window. On Windows NT, choose "Start", then "Run", then "CMD" and hit the enter key; on Windows 95 or 98, choose "Start", then "Run" then "COMMAND" and hit the enter key. |
| • | At the command prompt, type "JVIEW" and hit the enter key. |
| • | The version information will be at the right of the topmost line. |
It will have a format like "5.00.xxxx", where the "xxxx" is the build number. For example, if the version number is 5.00.1234, you have build number 1234.
Here's what the build information means:
| Version | Status |
1520 or lower | Not affected by vulnerability |
2000-2438 | Affected by vulnerability |
3000-3167 | Affected by vulnerability |
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to install the new version. The download location for the new version is provided in the security bulletin.
I'd like to verify that I installed the new version. How can I do this?
If you installed the patch manually, follow these instructions:
| • | Open a command window. On Windows NT, choose "Start", then "Run", then "CMD" and hit the enter key; on Windows 95 or 98, choose "Start", then "Run" then "COMMAND" and hit the enter key. |
| • | At the command prompt, type "JVIEW" and hit the enter key. |
| • | The version information will be at the right of the topmost line. It will have a format like "5.00.xxxx", where the "xxxx" is the build number. |
| • | If the last four digits are in the range 2439-2499 (inclusive) or greater than 3186, you have the patch installed correctly. |
If you installed the patch via WindowsUpdate, the simplest way to verify that the patch is installed is to re-visit the site. WindowsUpdate automatically detects which patches are installed, and will tell you that you already have installed it if you try to re-apply it.
What is Microsoft doing about this issue?
| • | Microsoft has developed a new version of the Microsoft VM that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the new version of the Microsoft VM. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and new version of the Microsoft VM in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
Where can I learn more about the Microsoft VM?
The Microsoft Technologies for Java web site is the best to place to get information about Microsoft's Java development efforts.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
