Microsoft Corp. has released a patch for a critical vulnerability in every version of Windows from 98 forward.
The flaw lies in the Windows Script Engine for Jscript, which enables the operating system to execute script code. The engine incorrectly processes the script and does not correctly size a buffer during a memory operation. As a result, an attacker could cause a buffer overflow and execute code of his choice on a vulnerable machine.
In order to exploit this problem, the attacker would either need to construct a Web page that contains the malicious code and lure a user to the page or send the user an HTML mail message with the code included.
Any code the attacker is able to execute on the users machine would run with the users privileges.
This vulnerability affects Windows 98, 98 SE, Me, NT 4.0, NT 4.0 Terminal Server Edition, 2000 and XP. However, there are several mitigating factors that could prevent exploitation of the flaw. Users who have disabled active scripting in Internet Explorer would not be vulnerable to either of the above attacks. Also, Outlook Express 6.0 and 2002 block the automatic execution of the HTML mail attack, as do Outlook 98 and 2000 when the Outlook Email Security Update is installed.
The patch for this vulnerability is available here.
Latest Security News:
Search for more stories by Dennis Fisher.
Find white papers on security.