Reported March 19, 2003, by Microsoft.

                       

 

VERSIONS AFFECTED

 

·         Windows XP

·         Windows 2000

·         Windows Me

·         Windows 98 Second Edition

·         Windows 98

·         Windows NT 4.0

·         Windows NT Server 4.0, Terminal Server Edition

 

DESCRIPTION

 

A new vulnerability in the Windows Script Engine can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way the Windows Script Engine for JScript processes information. To exploit the vulnerability, and attacker could construct a Web page that, when visited by the user, would use the user’s privileges to execute code of the attacker’s choice. The attacker could host the Web on a Web site or email it directly to the user.

 

VENDOR RESPONSE

 

Microsoft has released Security Bulletin MS03-008, “Flaw in Windows Script Engine Could Allow Code Execution (814078),” to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.

 

CREDIT

Discovered by Roland Postle.