search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Windows Virtual Machine (VM) ByteCode Verifier fails to properly check Java applets for malicious code

Vulnerability Note VU#447569

Original Release Date: 2003-04-10 | Last Revised: 2003-04-10

Overview

The Microsoft VM bytecode verifier fails to check for certain malicious code in a Java applet.

Description

The Microsoft VM bytecode verifier fails to check for certain malicious code in a Java applet. If an intruder can convince a victim to run a malicious Java applet, the intruder could run arbitrary code on the victim's machine. For more information, please see Microsoft Security Bulletin MS03-011.

Impact

After convincing a victim to download and run a malicious Java applet, an intruder could run arbitrary code with the privileges of the victim.

Solution

Apply a patch as described in Microsoft Security Bulletin MS03-011.

In addition to applying the patch, we strongly recommend the security updates to Microsoft Outlook as described in http://office.microsoft.com/Downloads/2000/Out2ksec.aspx.

Vendor Information


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Microsoft for reporting and correcting this vulnerability.

This document was written by Shawn V Hernan based on information provided by Microsoft in Microsoft Security Bulletin MS03-011.

Other Information

CVE IDs: CVE-2003-0111
Severity Metric: 2.25
Date Public: 2003-04-09
Date First Published: 2003-04-10
Date Last Updated: 2003-04-10 17:01 UTC
Document Revision: 10

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis