New critical Windows vulnerability found

A new software vulnerability that affects a number of different versions of Microsoft's Windows operating system could enable remote attackers to use a Web page or HTML formatted e-mail message to run their own malicious code on a Windows machine.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

The buffer overrun vulnerability was discovered in the Windows Script Engine, which allows Windows operating systems to run script code written in languages such as Visual Basic Script (VBScript) or JScript, according to security bulletin MS03-008, which was released on Wednesday.

The vulnerability affects all supported versions of the Windows operating system including Windows 98, 98 Second Edition, ME, NT 4.0, 2000 and XP, the company said.

Scripting languages are commonly used to add functionality to Web pages beyond what is possible with pages written using straight Hypertext Markup Language (HTML). Scripts enable a Web page to set and store variables as well as manipulate data and objects such as Web browser windows.

By creating a Web page containing script code that  exploits the new vulnerability, an attacker could launch an attack by posting that page on the Web, then tricking a user with a vulnerable Windows machine into visiting the page.

Alternatively, an attacker could send the Web page in an HTML formatted e-mail message. When the e-mail message was opened, the script would run, executing the malicious code on the user's machine.

Despite the critical rating assigned to the new vulnerability, Microsoft qualified its warning.

Users of Microsoft Outlook Express 6.0 or Outlook 2002 are not vulnerable to an e-mail-based attack, according to the Redmond, Washington , company.

Users of Microsoft Outlook 98 or 2000 who have deployed the Outlook Email Security Update are protected also, Microsoft said.

Finally, in executing malicious code, an attacker would only gain the privilege level of the user who is currently logged on. Provided that user had limited local permissions, attackers could be hampered in their own efforts to manipulate the compromised system.

Microsoft posted a patch for the Windows Script Engine vulnerability on Wednesday and encouraged all affected users to apply the patch at the earliest possible opportunity. (See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-008.asp.)

The company also posted details on a number of strategies that can be used to protect systems from attack in the absence of the Windows patch. Those strategies include turning off support for Active Scripting on the Internet Explorer, installing the Outlook Email Security Update and restricting browsing to Web sites in the Internet Explorer Trusted Zone.

This is Microsoft's second critical vulnerability in less than a week.

On Monday the company warned of an unchecked buffer in a Windows 2000 component used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. That vulnerability could enable an attacker to cause a buffer overflow on the machine running Internet Information Server Web server.

Microsoft warned that it was already aware of exploits that use the WebDAV vulnerability, but said it was aware of no attacks that took advantage of the new Windows Script Engine.