Re: Microsoft Warns of New Windows Flaw (March 19, 2003 )

From: MeanChildJ (MeanChildJ@Mean'
Date: 03/21/03

From: MeanChildJ <MeanChildJ@Mean'>
Date: Fri, 21 Mar 2003 20:37:31 GMT

On Thu, 20 Mar 2003 16:36:25 GMT, The Other Guy <nospam@this.addy>

>March 19, 2003
>Microsoft Warns of New Windows Flaw
>Microsoft Corp. has released a patch for a critical vulnerability in
>every version of Windows from 98 forward.
>The flaw lies in the Windows Script Engine for Jscript, which enables
>the operating system to execute script code. The engine incorrectly
>processes the script and does not correctly size a buffer during a
>memory operation. As a result, an attacker could cause a buffer
>overflow and execute code of his choice on a vulnerable machine.
>In order to exploit this problem, the attacker would either need to
>construct a Web page that contains the malicious code and lure a user
>to the page or send the user an HTML mail message with the code
>Any code the attacker is able to execute on the user's machine would
>run with the user's privileges.
>This vulnerability affects Windows 98, 98 SE, Me, NT 4.0, NT 4.0
>Terminal Server Edition, 2000 and XP. However, there are several
>mitigating factors that could prevent exploitation of the flaw. Users
>who have disabled active scripting in Internet Explorer would not be
>vulnerable to either of the above attacks. Also, Outlook Express 6.0
>and 2002 block the automatic execution of the HTML mail attack, as do
>Outlook 98 and 2000 when the Outlook Email Security Update is
>patch site:
>Flaw in Windows Script Engine Could Allow Code Execution

I'm ready to trash IE, but just trashed Opera and
Mozilla/Netscape don't seem much better. Kmeleon reviews seem to say
less functional. Any advice would help. Thanks