Code Execution Vulnerability in Windows Script Engine - 20 Mar 2003

Reported March 19, 2003, by Microsoft.

VERSIONS AFFECTED

·         Windows XP

·         Windows 2000

·         Windows Me

·         Windows 98 Second Edition

·         Windows 98

·         Windows NT 4.0

·         Windows NT Server 4.0, Terminal Server Edition

DESCRIPTION

A new vulnerability in the Windows Script Engine can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way the Windows Script Engine for JScript processes information. To exploit the vulnerability, and attacker could construct a Web page that, when visited by the user, would use the user’s privileges to execute code of the attacker’s choice. The attacker could host the Web on a Web site or email it directly to the user.

VENDOR RESPONSE

Microsoft has released Security Bulletin MS03-008, “Flaw in Windows Script Engine Could Allow Code Execution (814078),” to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.

CREDIT

Discovered by Roland Postle.