March 19, 2003, 4:58 PM — A new software vulnerability that affects a number of different versions of Microsoft Corp.'s Windows operating system could enable remote attackers to use a Web page or HTML formatted e-mail message to run their own malicious code on a Windows machine.
The buffer overrun vulnerability was discovered in the Windows Script Engine, which allows Windows operating systems to run script code written in languages such as Visual Basic Script (VBScript) or JScript, according to security bulletin MS03-008, which was released on Wednesday.
The vulnerability affects all supported versions of the Windows operating system including Windows 98, 98 Second Edition, ME, NT 4.0, 2000 and XP, the company said.
Scripting languages are commonly used to add functionality to Web pages beyond what is possible with pages written using straight Hypertext Markup Language (HTML). Scripts enable a Web page to set and store variables as well as manipulate data and objects such as Web browser windows.
By creating a Web page containing script code that exploits the new vulnerability, an attacker could launch an attack by posting that page on the Web, then tricking a user with a vulnerable Windows machine into visiting the page.
Alternatively, an attacker could send the Web page in an HTML formatted e-mail message. When the e-mail message was opened, the script would run, executing the malicious code on the user's machine.
Despite the critical rating assigned to the new vulnerability, Microsoft qualified its warning.
Users of Microsoft Outlook Express 6.0 or Outlook 2002 are not vulnerable to an e-mail-based attack, according to the Redmond, Washington, company.
Users of Microsoft Outlook 98 or 2000 who have deployed the Outlook Email Security Update are protected also, Microsoft said.
Finally, in executing malicious code, an attacker would only gain the privilege level of the user who is currently logged on. Provided that user had limited local permissions, attackers could be hampered in their own efforts to manipulate the compromised system.
Microsoft posted a patch for the Windows Script Engine vulnerability on Wednesday and encouraged all affected users to apply the patch at the earliest possible opportunity. (See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-008.asp.)
The company also posted details on a number of strategies that can be used to protect systems from attack in the absence of the Windows patch. Those strategies include turning off support for Active Scripting on the Internet Explorer, installing the Outlook Email Security Update and restricting browsing to Web sites in the Internet Explorer Trusted Zone.