Microsoft Warns of New Windows Flaw (March 19, 2003 )

From: The Other Guy (nospam@this.addy)
Date: 03/20/03


From: The Other Guy <nospam@this.addy>
Date: Thu, 20 Mar 2003 16:36:25 GMT


http://www.eweek.com/article2/0,3959,941455,00.asp
March 19, 2003
Microsoft Warns of New Windows Flaw

Microsoft Corp. has released a patch for a critical vulnerability in
every version of Windows from 98 forward.
The flaw lies in the Windows Script Engine for Jscript, which enables
the operating system to execute script code. The engine incorrectly
processes the script and does not correctly size a buffer during a
memory operation. As a result, an attacker could cause a buffer
overflow and execute code of his choice on a vulnerable machine.

In order to exploit this problem, the attacker would either need to
construct a Web page that contains the malicious code and lure a user
to the page or send the user an HTML mail message with the code
included.

Any code the attacker is able to execute on the user's machine would
run with the user's privileges.

This vulnerability affects Windows 98, 98 SE, Me, NT 4.0, NT 4.0
Terminal Server Edition, 2000 and XP. However, there are several
mitigating factors that could prevent exploitation of the flaw. Users
who have disabled active scripting in Internet Explorer would not be
vulnerable to either of the above attacks. Also, Outlook Express 6.0
and 2002 block the automatic execution of the HTML mail attack, as do
Outlook 98 and 2000 when the Outlook Email Security Update is
installed.

patch site:
Flaw in Windows Script Engine Could Allow Code Execution
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-008.asp

-- 
./configure --prefix=~/zyterion
Not this guy or that guy, The Other Guy.
This spot may contain a satirical comment or comedic source,
and is meant to be funny. If you are easily offended, gullible
or don't have a sense of humour we suggest you read elsewhere.


Relevant Pages

  • Microsoft Warns of New Windows Flaw (March 19, 2003 )
    ... Microsoft Warns of New Windows Flaw ... overflow and execute code of his choice on a vulnerable machine. ... In order to exploit this problem, the attacker would either need to ... Flaw in Windows Script Engine Could Allow Code Execution ...
    (comp.security.firewalls)
  • Microsoft Warns of New Windows Flaw (March 19, 2003 )
    ... Microsoft Warns of New Windows Flaw ... overflow and execute code of his choice on a vulnerable machine. ... In order to exploit this problem, the attacker would either need to ... Flaw in Windows Script Engine Could Allow Code Execution ...
    (alt.computer.security)
  • Re: Microsoft Warns of New Windows Flaw (March 19, 2003 )
    ... >every version of Windows from 98 forward. ... an attacker could cause a buffer ... >overflow and execute code of his choice on a vulnerable machine. ... >Flaw in Windows Script Engine Could Allow Code Execution ...
    (comp.security.firewalls)
  • SecurityFocus Microsoft Newsletter #194
    ... Snitz Forums Register Script HTML Injection Vulnerability ... Relevant URL: http://www.securityfocus.com/bid/10530 ... An attacker may be able to steal the site administrator's credentials by exploiting this issue. ... When this URI is processed the issue leads to a crash in the running instance of Internet Explorer and all windows spawned from this instance. ...
    (Focus-Microsoft)
  • [NT] Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges
    ... The Windows kernel is the core of the operating system. ... There is a flaw in the way the kernel passes error messages to a debugger. ... A vulnerability results because an attacker could write a program to ...
    (Securiteam)