Microsoft Corp. warned of two software flaws that could allow an attacker to take control of PCs running its Windows operating systems. All Windows users should patch their software to correct the flaws, which Microsoft described as critical in a notice late Wednesday.
The flaws lie in Microsoft’s virtual machine (VM) software for running Java applications on Windows computers. All versions of the VM, including the latest 5.0.3805, are affected, Microsoft said in a security bulletin.
The first flaw lies in a feature that allows Java applications to connect to databases, the second in a function that supports the use of XML (Extensible Markup Language) by Java applications, Microsoft said.
To exploit the flaws, an attacker would have to send the user an e-mail in HTML (Hypertext Markup Language) format or lure a user to a specially crafted Web site. An attacker could take virtually any desired action on a user’s system after a successful attack, according to Microsoft.
The VM is a standard part of most versions of Windows and is delivered with the Internet Explorer Web browser. It has also been available as a separate download, Microsoft said. Users can check if they have the VM installed by accessing the command prompt and entering “jview.” The VM is installed if a program starts.
On Wednesday Microsoft also disclosed a third, less serious flaw in the database support functions of its VM. Exploiting this flaw, classified “low” on Microsoft’s severity rating, would at least crash Internet Explorer, but could allow an attacker to run code on the user’s computer, Microsoft said.
This is not the first time that Microsoft has had to alert users to a flaw in its VM. The Redmond, Wash., software maker issued a “critical” alert in March because of a flaw that could let an attacker put a tap on a user’s Web browser.
Thor Larholm, a security researcher based in Denmark working for PivX Solutions LLC, said Microsoft’s VM is “fundamentally insecure.”
“Microsoft’s virtual machine overall is fundamentally insecure,” Larholm said. “Java usually enforces a sandboxing model so you can run code in a safe manner. But Microsoft’s VM allows any programmer to escape that secure model.”
Users seeking an alternative to Microsoft’s VM could choose to install Sun Microsystems Inc.’s Java VM for Windows systems. Sun is the inventor of Java. Larholm, who is also a Java programmer, said he likes the Sun Java virtual machine (JVM), but that it may have its own security bugs.
“The Sun JVM is not as widely used at Microsoft’s and I don’t know if there are any vulnerabilities in it,” Larholm said. “There is more incentive to look for vulnerabilities in Microsoft’s software because it is so widely used.”
In a separate security bulletin Wednesday, Microsoft warned of two flaws in a feature that supports remote terminal connections to PCs running Windows 2000 and Windows XP. These “moderate” flaws affect users of Terminal Services and Remote Desktop.