Reported
March 19, 2003, by Microsoft.
VERSIONS AFFECTED
·
Windows XP
·
Windows 2000
·
Windows Me
·
Windows 98 Second Edition
·
Windows 98
·
Windows NT 4.0
·
Windows NT Server 4.0, Terminal Server Edition
DESCRIPTION
A
new vulnerability in the Windows Script Engine can result in the execution of
arbitrary code on the vulnerable system. This vulnerability stems from a flaw
in the way the Windows Script Engine for JScript processes information. To
exploit the vulnerability, and attacker could construct a Web page that, when
visited by the user, would use the user’s privileges to execute code of the
attacker’s choice. The attacker could host the Web on a Web site or email it
directly to the user.
VENDOR RESPONSE
Microsoft
has released Security Bulletin MS03-008,
“Flaw in Windows
Script Engine Could Allow Code Execution (814078),” to address this vulnerability
and recommends that affected users immediately apply the appropriate patch
mentioned in the bulletin.
CREDIT
Discovered
by Roland
Postle.