[prev in list] [next in list] [prev in thread] [next in thread]
List: ntbugtraq
Subject: Alert: Microsoft Security Bulletin - MS03-008
From: Russ <Russ.Cooper () RC ! ON ! CA>
Date: 2003-03-19 19:38:36
[Download RAW message or body]
http://www.microsoft.com/technet/security/bulletin/MS03-008.asp
Flaw in Windows Script Engine Could Allow Code Execution (814078)
Originally posted: March 19, 2003
Summary
Who should read this bulletin: Customers using Microsoft® Windows®.
Impact of vulnerability: Run Code of Attacker's Choice
Maximum Severity Rating: Critical
Recommendation: Customers should install the patch immediately.
End User Bulletin: An end user version of this bulletin is available at: \
http://www.microsoft.com/security/security_bulletins/ms03-008.asp.
Affected Software:
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP
Technical description:
The Windows Script Engine provides Windows operating systems with the ability to \
execute script code. Script code can be used to add functionality to web pages, or \
to automate tasks within the operating system or within a program. Script code can \
be written in several different scripting languages, such as Visual Basic Script, or \
JScript.
A flaw exists in the way by which the Windows Script Engine for JScript processes \
information. An attacker could exploit the vulnerability by constructing a web page \
that, when visited by the user, would execute code of the attacker's choice with the \
user's privileges. The web page could be hosted on a web site, or sent directly to \
the user in email.
Although Microsoft has supplied a patch for this vulnerability and recommends all \
affected customers install the patch immediately, additional preventive measures have \
been provided that customers can use to help block the exploitation of this \
vulnerability while they are assessing the impact and compatibility of the patch. \
These temporary workarounds are discussed in the "Workarounds" section in the FAQ \
below.
Mitigating factors:
- For an attack to be successful, the user would need to visit a website under the \
attacker's control or receive an HTML e-mail from the attacker.
- Computers configured to disable active scripting in Internet Explorer are not \
susceptible to this issue.
- Exploiting the vulnerability would allow the attacker only the same privileges as \
the user. Users whose accounts are configured to have few privileges on the system \
would be at less risk than ones who operate with administrative \
privileges.
- Automatic exploitation of the vulnerability by an HTML email would be blocked by \
Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook \
98 and 2000 if used in conjunction with the Outlook Email Security Update.
Vulnerability identifier: CAN-2003-0010
This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Prometric - More than testing, learning.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
http://www.prometric.com
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic