[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Alert: Microsoft Security Bulletin - MS03-008
From:       Russ <Russ.Cooper () RC ! ON ! CA>
Date:       2003-03-19 19:38:36
[Download RAW message or body]

http://www.microsoft.com/technet/security/bulletin/MS03-008.asp

Flaw in Windows Script Engine Could Allow Code Execution (814078)

Originally posted: March 19, 2003

Summary

Who should read this bulletin: Customers using Microsoft® Windows®.

Impact of vulnerability: Run Code of Attacker's Choice

Maximum Severity Rating: Critical

Recommendation: Customers should install the patch immediately.

End User Bulletin: An end user version of this bulletin is available at: \
http://www.microsoft.com/security/security_bulletins/ms03-008.asp.

Affected Software: 
- Microsoft Windows 98 
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP 

Technical description: 

The Windows Script Engine provides Windows operating systems with the ability to \
execute script code.  Script code can be used to add functionality to web pages, or \
to automate tasks within the operating system or within a program.  Script code can \
be written in several different scripting languages, such as Visual Basic Script, or \
JScript.

A flaw exists in the way by which the Windows Script Engine for JScript processes \
information. An attacker could exploit the vulnerability by constructing a web page \
that, when visited by the user, would execute code of the attacker's choice with the \
user's privileges. The web page could be hosted on a web site, or sent directly to \
the user in email. 

Although Microsoft has supplied a patch for this vulnerability and recommends all \
affected customers install the patch immediately, additional preventive measures have \
been provided that customers can use to help block the exploitation of this \
vulnerability while they are assessing the impact and compatibility of the patch. \
These temporary workarounds are discussed in the "Workarounds" section in the FAQ \
below.

Mitigating factors:
- For an attack to be successful, the user would need to visit a website under the \
                attacker's control or receive an HTML e-mail from the attacker. 
- Computers configured to disable active scripting in Internet Explorer are not \
                susceptible to this issue.
- Exploiting the vulnerability would allow the attacker only the same privileges as \
the user. Users whose accounts are configured to have few privileges on the system \
                would be at less risk than ones who operate with administrative \
                privileges.
- Automatic exploitation of the vulnerability by an HTML email would be blocked by \
Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook \
98 and 2000 if used in conjunction with the Outlook Email Security Update. 

Vulnerability identifier: CAN-2003-0010



This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Prometric - More than testing, learning.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
http://www.prometric.com

Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


[prev in list] [next in list] [prev in thread] [next in thread]