[ISN] Windows flaw opens PCs to attack

From: InfoSec News (isnat_private)
Date: Thu Mar 20 2003 - 23:04:46 PST

  • Next message: InfoSec News: "[ISN] Leaked Bug Alerts Cause a Stir"

    By Robert Lemos 
    Staff Writer, CNET News.com
    March 19, 2003
    A vulnerability in all versions of Windows could allow attackers to
    use a malicious Web site or HTML e-mail message to trap victims and
    take control of their PCs, warned Microsoft.
    The flaw in the scripting component of the operating system lets
    attackers run code through the scripting engine as if the program had
    been executed locally on a PC, allowing them to run their own programs
    or to take over the system. Microsoft labeled the flaw as critical in
    its announcement Wednesday.
    While the flaw can be found in every version of Windows--from Windows
    98 to Windows XP--the potential danger is offset by two factors.  
    First, security measures already in place in e-mail clients are
    designed to defeat such HTML message attacks. Second, exploiting such
    flaws through Web pages requires that the person under attack actually
    visit the malicious site.
    "The e-mail vector is only a threat with an older version of Outlook,"  
    said Iain Mulholland, security program manager for Microsoft's
    security response center. Mulholland added that it would be difficult
    to create a virus from the flaw. "It's blocked on later versions of
    Outlook," he said.
    The vulnerability is the second major flaw announced by Microsoft this
    week. On Monday, the software giant warned that a previously unknown
    vulnerability in a component of its Internet Information Services
    (IIS) Server 5.0 had allowed hackers to compromise at least one
    customer's computer system. A representative of the U.S. Army
    acknowledged on Tuesday that a military server--but not an Army
    server--had been the compromised computer.
    The Windows flaw occurs in the way that the operating system handles
    JScript, its version of JavaScript language--which itself is known
    more formally as ECMAScript Edition 3.
    An attacker can exploit the vulnerability by either sending a
    specially crafted script to the potential victim in an e-mail, or by
    including such a script on a Web site and somehow convincing the user
    to load the Web page into Internet Explorer.
    E-mail clients and Internet browsers that don't allow scripts to be
    run will block the attack, Mulholland said. In addition, Outlook
    Express 6.0 and Outlook 2002 would not be vulnerable to an attack
    launched through HTML e-mail, if the clients are run in their default
    configurations. Previous versions of Outlook would also not be
    vulnerable if the Outlook E-mail Security Update has been applied.
    Patches for the various operating systems can be found on Microsoft's
    Web site and are available through Windows Update.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 01:56:11 PST