Subject: SEC avis : Microsoft: Flaw in Windows Script Engine Could Allow Code Execution.
>===========================================================
> CERT-Renater
>
> Note d'Information No. 2003/VULN101
>________________________________________________________________
>
>DATE : 20/03/2003
>
>HARDWARE PLATFORM(S) : /
>
>OPERATING SYSTEM(S) : Windows 98, Me, NT 4.0, 2000, XP
>
>===========================================================
>
>- -------------------------------------------------------------------
>Title: Flaw in Windows Script Engine Could Allow Code
> Execution (814078)
>Date: 19 March 2003
>Software: Microsoft Windows 98
> Microsoft Windows 98 Second Edition
> Microsoft Windows Me
> Microsoft Windows NT 4.0
> Microsoft Windows NT 4.0 Terminal Server Edition
> Microsoft Windows 2000
> Microsoft Windows XP
>Impact: Run Code of Attacker's Choice
>Max Risk: Critical
>Bulletin: MS03-008
>
>Microsoft encourages customers to review the Security Bulletins at:
>http://www.microsoft.com/technet/securi ... 03-008.asp
>http://www.microsoft.com/security/secur ... 03-008.asp
>- -------------------------------------------------------------------
>
>Issue:
>======
>The Windows Script Engine provides Windows operating systems with
>the ability to execute script code. Script code can be used to add
>functionality to web pages, or to automate tasks within the
>operating system or within a program. Script code can be written in
>several different scripting languages, such as Visual Basic Script,
>or JScript.
>
>A flaw exists in the way by which the Windows Script Engine for
>JScript processes information. An attacker could exploit the
>vulnerability by constructing a web page that, when visited by the
>user, would execute code of the attacker's choice with the user's
>privileges. The web page could be hosted on a web site, or sent
>directly to the user in email.
>
>Although Microsoft has supplied a patch for this vulnerability and
>recommends all affected customers install the patch immediately,
>additional preventive measures have been provided that customers
>can use to help block the exploitation of this vulnerability while
>they are assessing the impact and compatibility of the patch. These
>temporary workarounds are discussed in the "Workarounds" section in
>the Frequently Asked Questions section of the security bulletin for
>this release.
>
>
>Mitigating Factors:
>====================
> - For an attack to be successful, the user would need to visit a
> website under the attacker's control or receive an HTML e-mail
> from the attacker.
> - Computers configured to disable active scripting in Internet
> Explorer are not susceptible to this issue.
> - Exploiting the vulnerability would allow the attacker only the
> same privileges as the user. Users whose accounts are configured
> to have few privileges on the system would be at less risk than
> ones who operate with administrative privileges.
> - Automatic exploitation of the vulnerability by an HTML email
> would be blocked by Outlook Express 6.0 and Outlook 2002 in
> their default configurations, and by Outlook 98 and 2000 if used
> in conjunction with the Outlook Email Security Update.
>
>
>Risk Rating:
>============
> - Critical
>
>Patch Availability:
>===================
> - A patch is available to fix this vulnerability. Please read the
> Security Bulletins at
>
> http://www.microsoft.com/technet/securi ... 03-008.asp
> http://www.microsoft.com/security/secur ... 03-008.asp
>
> for information on obtaining this patch.
>
>
>- -------------------------------------------------------------------
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
>PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
>ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
>WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
>IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
>FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
>CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
>MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
>OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
>SO THE FOREGOING LIMITATION MAY NOT APPLY.
>
>
>===========================================================
[EN] - Microsoft - Flaw in Windows Script Engine...
[EN] - Microsoft - Flaw in Windows Script Engine...
Last edited by Latinus on 21 Mar 2003 10:03, edited 1 time in total.
Les courses hippiques, lorsqu'elles s'y frottent.
