Microsoft last Thursday announced a fix for a vulnerability in its Virtual Machine (VM) software that could let malicious hackers take full control of a victim's computer.
Details of where and how the patch can be downloaded are available at www.microsoft.com/technet/security/bulletin/ms00-075.asp.
"Microsoft views this as a serious vulnerability and would encourage all of our customers to review the bulletin and FAQ and download the patch," said a Microsoft spokeswoman.
Microsoft's Virtual Machine -- which ships as part of Internet Explorer and products such as Virtual Studio -- contains functionality to create and run ActiveX code.
By design, only a digitally signed Java applet should be able to invoke this functionality. The VM flaw allows even unsigned applets to run an ActiveX control.
"If such an applet were hosted on a malicious user's Web site, it could take actions that only a trusted applet should be able to take," according to the Microsoft bulletin announcing the fix.
"It's a pretty dangerous hole," said Russ Cooper, surgeon general with ICSA.Net, a security service in Reston, Va. "One analogy would be to think of it as having a bank say we don't care who signs your checks or even if anybody signs it at all."
A malicious Web site operator that persuaded a user to visit the site could exploit the hole to gain access to -- and take full control of -- a victim's system, the Microsoft bulletin added. Users would be open to attack even if the security options in IE are set to prevent unsafe ActiveX code from running, because the flaw is with the VM and not ActiveX, Microsoft warned.
The most common method of exploiting the hole would be for an attacker to send HTML-formatted e-mail containing links to a malicious site to an unsuspecting user, Cooper said.
All users of IE 4.x or IE 5.x have a version of VM that is affected by the flaw, according to Microsoft's bulletin. Other users can determine whether their version of VM is vulnerable by looking at the so-called build number for their version of VM. The Microsoft bulletin includes information about how users can verify this for themselves.
