For the lazy......
by
dirkdidit
·
· Score: 4, Informative
WASHINGTON -- Microsoft Corp. on Wednesday warned about a serious flaw in almost every version of its popular Windows software that could allow hackers to seize control of a person's computer when victims read e-mails or visit Web sites.
Microsoft assessed the problem's urgency as critical, its highest level, and urged customers to download a free repairing patch immediately from its Web site, www.microsoft.com/security.
The company said it was unaware of any reports that hackers already had used the technique to break into computers, but the time between disclosure of a new flaw and such break-ins has become increasingly short.
Russ Cooper, a security expert for TruSecure Corp., based in Herndon, Va., predicted that antivirus software will be updated to protect users who might receive infected e-mails and that Web sites with infected pages would be shut down quickly once they are detected.
"I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."
The problem involves tricking Windows into processing unsafe code built into a Web page or e-mail message. It was particularly unusual because it affected so many different versions of Windows, from Windows 98 to its latest Windows XP editions.
There was some good news. Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails.
Older versions of Outlook would also be safe if customers had manually applied another security patch, which Microsoft released in 2000 after the spread of the damaging "ILOVEYOU" virus.
Microsoft said customers could manually adjust settings hidden deep within its Internet Explorer browsing software to prevent Windows from processing the dangerous code. Experts, however, said that was not easy to do for many users and that it would cripple convenient functions for many popular Web sites.
Re:There seems to be some discrepency here...
by
blakestah
·
· Score: 5, Informative
No, I think you are missing it.
The article describes a remote root exploit that affects IIS servers.
You are citing an article on a remote root exploit based on a user reading an email or visiting a web site.
Different remote root exploits. The IIS one is expected to be a pain, the email reading/website visiting one is not.
Two separate vulnerabilities
by
nweaver
·
· Score: 4, Informative
#1 is the WebDAV vulnerability, affecting IIS 5 on Win2k. This is the one used to corrupt the military web server in question, and is a very worm friendly (arbitrary remote execution) vulnerability. This is the most likely target of a worm, as it can be purely automatic (a'la slammer and Code Red), and gives full system access.
#2 is a script engine vulnerability, allowing an email message or web page to execute arbitrary code. Although good for mail worms, this is less autonomous-worm friendly: it's a good secondary way to cross a firewall, but users need to read the email to spread, making a slower worm, something in the ballpark of an auto-executing Klez: a pain but nothing catastrophic. It also runs as the user, not as sysem, making it a (somewhat) less valuable exploit when targeting Win2k/XP.
Both are serious vulnerabilities which require patching, however.
In case you are curious...
by
Elwood+P+Dowd
·
· Score: 4, Informative
No, you are not crazy. These articles are all refering to the other MS issue this week: IIS's WebDAV remote buffer overflow attack.
There is, however, a new issue today. Use Windows Update. This new issue would allow operators of a malicious website to remote root your machine if you navigate to them. This applies to all (!) versions of Windows since Win98.
The worm-friendly bug is the old bug. So, technically speaking, this post is 100% dupe. It just happened to (luckily?) coincide with another MS security issue.
--
There are no trails. There are no trees out here.
Re:Is there a Slashdot type site just for CODERS?
by
davidstrauss
·
· Score: 2, Informative
The Details
by
Anonymous Coward
·
· Score: 5, Informative
Technical details
Technical description:
The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript.
A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email.
Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the "Workarounds" section in the FAQ below.
Frequently asked questions:
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause code of his or her choice to be executed as though it originated on the local machine.
What causes the vulnerability?
The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll.
What is a scripting language?
Scripting languages can be used to add additional functionality to HTML web pages or operating systems. They can enable a web author to set and store variables, and work with data in the HTML code. For instance, a script can be used to check the version of the web browser a user is running, validate input, work with applets or controls, and communicate to the user.
In addition, scripts can be used in Windows to automate operating system tasks such as changing settings or mapping a network drive.
What is a scripting engine?
The Windows Scripting Engine serves as the component within Windows that interprets and executes script code written in scripting languages such as JScript or VBscript.
What is JScript?
JScript is the Microsoft implementation of the ECMA 262 language specification (ECMAScript Edition 3).
It is an interpreted, object-based scripting language. In general, JScript has fewer capabilities than full-fledged object-oriented languages like C++. Stand-alone applications cannot be written in JScript, for example. JScript scripts can run only in the presence of an interpreter or "host", such as Active Server Pages (ASP), Internet Explorer, or Windows Script Host.
What's wrong with the Windows Script Engine for JScript?
There is a flaw in the way the JScript scripting engine processes the script. It does not correctly size a buffer during a memory operation.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause code of the attacker's choice to run with user privileges on the system.
If I am not using Internet Explorer do I need the patch?
Yes. The vulnerability exists in the Windows Script Engine. Microsoft recommends all customers install the patch immediately.
How could an attacker exploit this vulnerability?
The attacker would need to construct a web page that contained specially formed script code. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page could launch the script and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerab
Re:Can bug affect hotmail or yahoo email?
by
johny_qst
·
· Score: 2, Informative
This affects all users who view HTML webpages with Internet Explorer or view HTML email on their windows box with an old version of Outlook or Outlook Express. If you are using another browser or email program you are still vulnerable if scripting is enabled. This is a problem with processing JScript. This is a problem for most M$ boxes. If using one please upgrade to another OS or update using windows update.
-- Fnord.sig
Re:Contradictions from the experts
by
ryanr
·
· Score: 3, Informative
Probably because they are about two different vulns. Since the webdav hole is known to have an exploit already being used in the wild, it's pretty safe for Russ to say that it will be used.:)
He's probably also not too far off with the jscript integer overflow either. It's usually difficult to write an exploit that will work for all the different OS and jscript.dll versions, without simply crashing on a mismatched version. That makes an effective worm a lot less likely.
Slashdot Mirror
WASHINGTON -- Microsoft Corp. on Wednesday warned about a serious flaw in almost every version of its popular Windows software that could allow hackers to seize control of a person's computer when victims read e-mails or visit Web sites.
Microsoft assessed the problem's urgency as critical, its highest level, and urged customers to download a free repairing patch immediately from its Web site, www.microsoft.com/security.
The company said it was unaware of any reports that hackers already had used the technique to break into computers, but the time between disclosure of a new flaw and such break-ins has become increasingly short.
Russ Cooper, a security expert for TruSecure Corp., based in Herndon, Va., predicted that antivirus software will be updated to protect users who might receive infected e-mails and that Web sites with infected pages would be shut down quickly once they are detected.
"I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."
The problem involves tricking Windows into processing unsafe code built into a Web page or e-mail message. It was particularly unusual because it affected so many different versions of Windows, from Windows 98 to its latest Windows XP editions.
There was some good news. Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails.
Older versions of Outlook would also be safe if customers had manually applied another security patch, which Microsoft released in 2000 after the spread of the damaging "ILOVEYOU" virus.
Microsoft said customers could manually adjust settings hidden deep within its Internet Explorer browsing software to prevent Windows from processing the dangerous code. Experts, however, said that was not easy to do for many users and that it would cripple convenient functions for many popular Web sites.
Half the stories linked to are for the wrong vuln. I think they're supposed to be warning us about this one:
i ns/ms03-008.asp
http://www.microsoft.com/security/security_bullet
www.cgisecurity.com
www.cgisecurity.com/lib
No, I think you are missing it.
The article describes a remote root exploit that affects IIS servers.
You are citing an article on a remote root exploit based on a user reading an email or visiting a web site.
Different remote root exploits. The IIS one is expected to be a pain, the email reading/website visiting one is not.
#1 is the WebDAV vulnerability, affecting IIS 5 on Win2k. This is the one used to corrupt the military web server in question, and is a very worm friendly (arbitrary remote execution) vulnerability. This is the most likely target of a worm, as it can be purely automatic (a'la slammer and Code Red), and gives full system access.
#2 is a script engine vulnerability, allowing an email message or web page to execute arbitrary code. Although good for mail worms, this is less autonomous-worm friendly: it's a good secondary way to cross a firewall, but users need to read the email to spread, making a slower worm, something in the ballpark of an auto-executing Klez: a pain but nothing catastrophic. It also runs as the user, not as sysem, making it a (somewhat) less valuable exploit when targeting Win2k/XP.
Both are serious vulnerabilities which require patching, however.
Test your net with Netalyzr
No, you are not crazy. These articles are all refering to the other MS issue this week: IIS's WebDAV remote buffer overflow attack.
There is, however, a new issue today. Use Windows Update. This new issue would allow operators of a malicious website to remote root your machine if you navigate to them. This applies to all (!) versions of Windows since Win98.
The worm-friendly bug is the old bug. So, technically speaking, this post is 100% dupe. It just happened to (luckily?) coincide with another MS security issue.
There are no trails. There are no trees out here.
http://developers.slashdot.org/
Samba is not a standard part of any Linux distro that I know of.
been in in every version of RH since 6.2 that I know of.
a/s/l here. Sorry, adding domain tags to your s
Technical details
Technical description:
The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript.
A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email.
Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the "Workarounds" section in the FAQ below.
Frequently asked questions:
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause code of his or her choice to be executed as though it originated on the local machine.
What causes the vulnerability?
The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll.
What is a scripting language?
Scripting languages can be used to add additional functionality to HTML web pages or operating systems. They can enable a web author to set and store variables, and work with data in the HTML code. For instance, a script can be used to check the version of the web browser a user is running, validate input, work with applets or controls, and communicate to the user.
In addition, scripts can be used in Windows to automate operating system tasks such as changing settings or mapping a network drive.
What is a scripting engine?
The Windows Scripting Engine serves as the component within Windows that interprets and executes script code written in scripting languages such as JScript or VBscript.
What is JScript?
JScript is the Microsoft implementation of the ECMA 262 language specification (ECMAScript Edition 3).
It is an interpreted, object-based scripting language. In general, JScript has fewer capabilities than full-fledged object-oriented languages like C++. Stand-alone applications cannot be written in JScript, for example. JScript scripts can run only in the presence of an interpreter or "host", such as Active Server Pages (ASP), Internet Explorer, or Windows Script Host.
What's wrong with the Windows Script Engine for JScript?
There is a flaw in the way the JScript scripting engine processes the script. It does not correctly size a buffer during a memory operation.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause code of the attacker's choice to run with user privileges on the system.
If I am not using Internet Explorer do I need the patch?
Yes. The vulnerability exists in the Windows Script Engine. Microsoft recommends all customers install the patch immediately.
How could an attacker exploit this vulnerability?
The attacker would need to construct a web page that contained specially formed script code. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page could launch the script and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerab
This affects all users who view HTML webpages with Internet Explorer or view HTML email on their windows box with an old version of Outlook or Outlook Express. If you are using another browser or email program you are still vulnerable if scripting is enabled. This is a problem with processing JScript. This is a problem for most M$ boxes. If using one please upgrade to another OS or update using windows update.
Fnord.sig
Probably because they are about two different vulns. Since the webdav hole is known to have an exploit already being used in the wild, it's pretty safe for Russ to say that it will be used. :)
He's probably also not too far off with the jscript integer overflow either. It's usually difficult to write an exploit that will work for all the different OS and jscript.dll versions, without simply crashing on a mismatched version. That makes an effective worm a lot less likely.