Microsoft released an advisory Wednesday night warning of three new flaws affecting Windows users, the most serious of which could allow an attacker to gain complete control of a user's system.

The flaws, two of which the company says are critical, occur in Microsoft's Virtual Machine, a program which implements the Java language on Windows platforms. The Microsoft VM is shipped in most versions of Windows, as well as in most versions of Internet Explorer.

According to the bulletin, the attack vectors for all three vulnerabilities would likely be the same, with an attacker creating a web page that, when opened, exploits the desired flaw.


The attacker would have to lure the victim to that specific page to exploit the vulnerability, or could contain it within an HTML email. Microsoft notes, however, that those using email clients, such as Outlook 2002, Outlook Express 6, cannot, by default, run applets in email.

The first two vulnerabilities both involves the Java Database Connectivity classes, which provide features that allow Java applications to connect to and use data from a wide variety of data sources, ranging from flat files to SQL Server databases.

The first vulnerability, which Microsoft has deemed a critical risk, results from a flaw in the way the classes process a certain type of request. Although the classes do perform checks that are designed to ensure that only authorized applets can levy these requests, it's possible to spoof the check, enabling an attacker to load and execute any DLL on the user's system, which could be used by the attacker to perform any operation that the user could.

Microsoft believes that the second vulnerability, which occurs because certain functions don't correctly validate handles, would only cause Internet Explorer to fail. The company notes, however, that there is at least a theoretical possibility that the flaw could also enable an attacker to provide data that would have the effect of running code in the security context of the user.

VM's final vulnerability, another that has earned a critical rating, involves a class that provides support for the use of XML by Java applications. This vulnerability occurs because the class does not differentiate correctly between methods suitable for use by any applet and those only suitable for use by trusted ones. Microsoft admits that among the functions that could be misused through this vulnerability are ones that would enable an applet to take virtually any desired action on the user's system.

Microsoft could not be reached for comment this morning, but has issued a patch for all three vulnerabilities, which is available by visiting the company's Window's Update site.