Re: Microsoft Warns of New Windows Flaw (March 19, 2003 )

From: MeanChildJ (MeanChildJ@Mean's.net)
Date: 03/21/03


From: MeanChildJ <MeanChildJ@Mean's.net>
Date: Fri, 21 Mar 2003 20:37:31 GMT

On Thu, 20 Mar 2003 16:36:25 GMT, The Other Guy <nospam@this.addy>
wrote:

>
>http://www.eweek.com/article2/0,3959,941455,00.asp
>March 19, 2003
>Microsoft Warns of New Windows Flaw
>
>Microsoft Corp. has released a patch for a critical vulnerability in
>every version of Windows from 98 forward.
>The flaw lies in the Windows Script Engine for Jscript, which enables
>the operating system to execute script code. The engine incorrectly
>processes the script and does not correctly size a buffer during a
>memory operation. As a result, an attacker could cause a buffer
>overflow and execute code of his choice on a vulnerable machine.
>
>In order to exploit this problem, the attacker would either need to
>construct a Web page that contains the malicious code and lure a user
>to the page or send the user an HTML mail message with the code
>included.
>
>Any code the attacker is able to execute on the user's machine would
>run with the user's privileges.
>
>This vulnerability affects Windows 98, 98 SE, Me, NT 4.0, NT 4.0
>Terminal Server Edition, 2000 and XP. However, there are several
>mitigating factors that could prevent exploitation of the flaw. Users
>who have disabled active scripting in Internet Explorer would not be
>vulnerable to either of the above attacks. Also, Outlook Express 6.0
>and 2002 block the automatic execution of the HTML mail attack, as do
>Outlook 98 and 2000 when the Outlook Email Security Update is
>installed.
>
>patch site:
>Flaw in Windows Script Engine Could Allow Code Execution
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-008.asp

I'm ready to trash IE, but GreyMagic.com just trashed Opera and
Mozilla/Netscape don't seem much better. Kmeleon reviews seem to say
less functional. Any advice would help. Thanks

MeanChildJ