A new security vulnerability in Microsoft VM (Virtual Machine) has been reported. This vulnerability could - if exploited e.g. by a malicious web page creator - allow any action to occur on a computer browsing a particular web page.

Microsoft VM is shipped as a part of Windows 95/98, Windows Me, Windows NT 4.0 and Windows 2000, as well as Internet Explorer version 4.x and 5.x.

The reason why this security issue is possible, has to do with the fact that Microsoft VM has functionality which allows Java applications and applets to create and manipulate ActiveX controls. This can be done from a web page or from a HTML based e-mail message.

A malicious web page creator who tricks a person using Internet Explorer to open a web page which utilizes this vulnerability, could do anything on the computer that the user is able to do. She could read files, delete files, change information, format the hard disk and so on.

Microsoft has released a new version of Microsoft VM which eliminates this security issue. See link to the download page below. Norman strongly recommend that the new version is installed on all affected computers.

If Internet Explorer, Outlook Express or Outlook are configured in such a way that Active Scripting or Scripting of Java applets are disabled, you are not vulnerable to this security flaw. Frequent readers of Norman's Security Information will know that several of the issues discussed, have to do with security problems with Internet Explorer and Active Scripting. Norman recommends that this is disabled in the Internet zone.

More information is available from the links below:

• Microsoft's download page for this vulnerability
• Microsoft's Security Bulletin MS00-072
• Microsoft's Frequently Asked Questions about this vulnerability
• Microsoft's Knowledge Base article about this vulnerability
• George Guninski's Security Advisory 23/2000

Per Olav Førland