Windows flaw opens PCs to attack

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1009-993310.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
March 19, 2003

A vulnerability in all versions of Windows could allow attackers to
use a malicious Web site or HTML e-mail message to trap victims and
take control of their PCs, warned Microsoft.

The flaw in the scripting component of the operating system lets
attackers run code through the scripting engine as if the program had
been executed locally on a PC, allowing them to run their own programs
or to take over the system. Microsoft labeled the flaw as critical in
its announcement Wednesday.

While the flaw can be found in every version of Windows--from Windows
98 to Windows XP--the potential danger is offset by two factors.  
First, security measures already in place in e-mail clients are
designed to defeat such HTML message attacks. Second, exploiting such
flaws through Web pages requires that the person under attack actually
visit the malicious site.

"The e-mail vector is only a threat with an older version of Outlook,"  
said Iain Mulholland, security program manager for Microsoft's
security response center. Mulholland added that it would be difficult
to create a virus from the flaw. "It's blocked on later versions of
Outlook," he said.

The vulnerability is the second major flaw announced by Microsoft this
week. On Monday, the software giant warned that a previously unknown
vulnerability in a component of its Internet Information Services
(IIS) Server 5.0 had allowed hackers to compromise at least one
customer's computer system. A representative of the U.S. Army
acknowledged on Tuesday that a military server--but not an Army
server--had been the compromised computer.

The Windows flaw occurs in the way that the operating system handles
JScript, its version of JavaScript language--which itself is known
more formally as ECMAScript Edition 3.

An attacker can exploit the vulnerability by either sending a
specially crafted script to the potential victim in an e-mail, or by
including such a script on a Web site and somehow convincing the user
to load the Web page into Internet Explorer.

E-mail clients and Internet browsers that don't allow scripts to be
run will block the attack, Mulholland said. In addition, Outlook
Express 6.0 and Outlook 2002 would not be vulnerable to an attack
launched through HTML e-mail, if the clients are run in their default
configurations. Previous versions of Outlook would also not be
vulnerable if the Outlook E-mail Security Update has been applied.

Patches for the various operating systems can be found on Microsoft's
Web site and are available through Windows Update.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.