For the lazy......
by
dirkdidit
·
· Score: 4, Informative
WASHINGTON -- Microsoft Corp. on Wednesday warned about a serious flaw in almost every version of its popular Windows software that could allow hackers to seize control of a person's computer when victims read e-mails or visit Web sites.
Microsoft assessed the problem's urgency as critical, its highest level, and urged customers to download a free repairing patch immediately from its Web site, www.microsoft.com/security.
The company said it was unaware of any reports that hackers already had used the technique to break into computers, but the time between disclosure of a new flaw and such break-ins has become increasingly short.
Russ Cooper, a security expert for TruSecure Corp., based in Herndon, Va., predicted that antivirus software will be updated to protect users who might receive infected e-mails and that Web sites with infected pages would be shut down quickly once they are detected.
"I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."
The problem involves tricking Windows into processing unsafe code built into a Web page or e-mail message. It was particularly unusual because it affected so many different versions of Windows, from Windows 98 to its latest Windows XP editions.
There was some good news. Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails.
Older versions of Outlook would also be safe if customers had manually applied another security patch, which Microsoft released in 2000 after the spread of the damaging "ILOVEYOU" virus.
Microsoft said customers could manually adjust settings hidden deep within its Internet Explorer browsing software to prevent Windows from processing the dangerous code. Experts, however, said that was not easy to do for many users and that it would cripple convenient functions for many popular Web sites.
Re:For the lazy......
by
gordyf
·
· Score: 5, Funny
"It's pretty unlikely any such exploit attempt will get legs."
Worms don't have legs anyway, do they?
Re:For the lazy......
by
nolife
·
· Score: 2, Interesting
Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails.
They should have add the following, "or if you are using just about any other mail reader besides ours."
I love how MS attempts to twist the story here and appears to make it look like you should only be using the most recent versions of THEIR software to be safe. They completely fail to mention that the only reason any of this is possible is bacause of their software and its integration into IE and the OS. If you were using almost ANY OTHER email program not designed by them or one that did not use their glob job interent settings you would be safe also. I use Pegasus and it is not effected by this at all.
-- Bad boys rape our young girls but Violet gives willingly.
In order to keep it secret...
by
rasafras
·
· Score: 5, Funny
Top officials have decided to post it on Slashdot.
You have to this week, because of Linux. After Microsoft's weekly publicity blitz on Monday with the IIS bug, Linux fired back with a local root exploit, thus stealing the limelight. Microsoft, which is feeling very threatened by Linux these days, could not let that stand.
The big question is whether or not The Penguin will escalate with another salvo tomorrow. If so, you will have a busy Windows-patching session before the week ends.
Ain't competition great?
-- As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Re:Is this Monday?
by
Pharmboy
·
· Score: 4, Funny
Samba is not a standard part of any Linux distro that I know of.
what day is it again?
by
GweeDo
·
· Score: 4, Funny
It is monday...time to patch my Windows Boxes...
It is tuesday...time to patch my Linux boxes...
It is hump day...time to patch my Windows Boxes again...
Crap...what is Thursday gonna bring! And what is this gonna do to my loverly uptime!
Re:what day is it again?
by
AKnightCowboy
·
· Score: 2, Interesting
It is hump day...time to patch my Windows Boxes again... Crap...what is Thursday gonna bring!
Thursday, time to patch the SunRPC holes in Solaris. I WAS about to implement a central NFS server for our workstations, but Sun has so many problems with their RPC implementation resulting in root exploits I think I'll have to look for something else.
Big Worm ain't gonna do a GOD-DAMNED thing! I run linux.
-- Finally, math books without any of that base 6 crap in them.
It doesn't look good for OS X
by
teamhasnoi
·
· Score: 5, Funny
Big worms are unusually fond of Apples.
You might want to cover your Macintosh with a thin layer of paraffin, or place it in a plastic bag this week; that should deter any worms.
How to check if you are vulnerable
by
gmuslera
·
· Score: 5, Funny
From the Microsoft security bulletin --------------- How to Check Which Version You Have
If you are unsure whether a product you are running is affected by this issue, check the version.
To determine which version of Microsoft Windows you are running:
1. On the taskbar at the bottom of your screen, click Start, and then click Run.
2. In the Run dialog box, type: winver
3. Click OK.
A dialog box displays the version that you are running. -------------
If it say "Microsoft " and something else, you are vulnerable.
lets play a game
by
xao+gypsie
·
· Score: 3, Funny
lets guess at how many root name servers will go down this time.....weee!!!
xao
--
xao
http://TheHillforum.hopto.org
This is NOT working!!!!
by
the_real_tigga
·
· Score: 4, Funny
I just tried this and wanted to warn others:
YOU WON'T BE ABLE TO TELL THE VERSION FROM THIS! Microsoft must be saying something wrong!!!
I got a window popping up, the title was "Sorry - KDesktop", and then "winver" and "Could not run the specified command!"
So it's not woring. QED.
-- my.sig is better than yours.
Re:Why Navy rules....
by
titzandkunt
·
· Score: 2, Funny
Hey - me too!
(Defense, software, navy, RH6.2)
Who knows, maybe we sit at adjacent desks...
If that's the case, next time, will you fill the friggen' coffee machine up when you take the last cup?
T&K.
-- Political language... is designed to make lies sound truthful and murder respectable...
Two separate vulnerabilities
by
nweaver
·
· Score: 4, Informative
#1 is the WebDAV vulnerability, affecting IIS 5 on Win2k. This is the one used to corrupt the military web server in question, and is a very worm friendly (arbitrary remote execution) vulnerability. This is the most likely target of a worm, as it can be purely automatic (a'la slammer and Code Red), and gives full system access.
#2 is a script engine vulnerability, allowing an email message or web page to execute arbitrary code. Although good for mail worms, this is less autonomous-worm friendly: it's a good secondary way to cross a firewall, but users need to read the email to spread, making a slower worm, something in the ballpark of an auto-executing Klez: a pain but nothing catastrophic. It also runs as the user, not as sysem, making it a (somewhat) less valuable exploit when targeting Win2k/XP.
Both are serious vulnerabilities which require patching, however.
In case you are curious...
by
Elwood+P+Dowd
·
· Score: 4, Informative
No, you are not crazy. These articles are all refering to the other MS issue this week: IIS's WebDAV remote buffer overflow attack.
There is, however, a new issue today. Use Windows Update. This new issue would allow operators of a malicious website to remote root your machine if you navigate to them. This applies to all (!) versions of Windows since Win98.
The worm-friendly bug is the old bug. So, technically speaking, this post is 100% dupe. It just happened to (luckily?) coincide with another MS security issue.
So there I was at a Halloween party. This woman dressed up as a giant insect walks up. I realise she has a Microsoft logo on the chest of her costume.
I was hooked.
"So," she asked "does me being a Microsoft Bug make your Big Worm want to come out and play?" I was flabbergasted.. There I was being asked this by the woman of my dreams and I was wearing a Tequila Bottle costume...
-- Trolling is a art,
I sometimes wonder
by
sielwolf
·
· Score: 4, Interesting
If any of this does any good (outside of warning Windows admins). People who have used computers for twenty years still have no idea how these exploits and bugs work. They think that Kevin Mitnick can hack a computer with a telephone (ala Scanners) but don't think twice about double-clicking an email from "1337user@aol.com".
I sometimes think that education has been a problem, as all of these reports usually come with a verbose "what this does, what it doesn't, what you should do." So then I go on to think that it must be some sort of lethargy on the part of Joe End User. So then I think that a serious entrance learning curve would do the trick (i.e. stick every one on some old terminals).
But I think a threshold has been crossed. People now need to use computers. Colleges and businesses are going paperless, demanding a higher level of computer savvy... but all the while ignoring basic user compotence. Computer use is either "so simple a monkey could do it" or "impossible for anyone but geeks to understand". It's as if most users are satisfied to never understand how their "magic box" works.
This wouldn't bother me too much if it didn't seem that this same disease has seemingly infected a significant minority of admins out there (considering how ridiculously some of these viruses spread). Of course many of these seem to be (in my experience) non-CS academic types who "need" Unix workstations but are uninterested in protecting them.
-- What is music when you despise all sound?
Re:I sometimes wonder
by
waveman
·
· Score: 5, Funny
"compotence" - there is something ironic about spelling this wrong.
Re:Deepest Apolgies...
by
RatBastard
·
· Score: 2, Funny
I blame the asshats running the webiste I cut and pasted from.:(
-- Boobies never hurt anyone. - Sherry Glaser.
Contradictions from the experts
by
dstone
·
· Score: 5, Interesting
Russ Cooper, moderator of the NTBugTraq security list and a security expert for TruSecure Corp., seems to be contradicting himself in two stories on the same day (or is being misquoted). Make of this what you will...
This story quotes Cooper: "I do expect that in the next seven to 10 days we're going to see a worldwide wave" of attacks, probably via an Internet worm, Cooper said Wednesday. "And it will be effective."
And this story quotes Cooper: ""I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs.""
Re:Contradictions from the experts
by
ryanr
·
· Score: 3, Informative
Probably because they are about two different vulns. Since the webdav hole is known to have an exploit already being used in the wild, it's pretty safe for Russ to say that it will be used.:)
He's probably also not too far off with the jscript integer overflow either. It's usually difficult to write an exploit that will work for all the different OS and jscript.dll versions, without simply crashing on a mismatched version. That makes an effective worm a lot less likely.
The Details
by
Anonymous Coward
·
· Score: 5, Informative
Technical details
Technical description:
The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript.
A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email.
Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the "Workarounds" section in the FAQ below.
Frequently asked questions:
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause code of his or her choice to be executed as though it originated on the local machine.
What causes the vulnerability?
The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll.
What is a scripting language?
Scripting languages can be used to add additional functionality to HTML web pages or operating systems. They can enable a web author to set and store variables, and work with data in the HTML code. For instance, a script can be used to check the version of the web browser a user is running, validate input, work with applets or controls, and communicate to the user.
In addition, scripts can be used in Windows to automate operating system tasks such as changing settings or mapping a network drive.
What is a scripting engine?
The Windows Scripting Engine serves as the component within Windows that interprets and executes script code written in scripting languages such as JScript or VBscript.
What is JScript?
JScript is the Microsoft implementation of the ECMA 262 language specification (ECMAScript Edition 3).
It is an interpreted, object-based scripting language. In general, JScript has fewer capabilities than full-fledged object-oriented languages like C++. Stand-alone applications cannot be written in JScript, for example. JScript scripts can run only in the presence of an interpreter or "host", such as Active Server Pages (ASP), Internet Explorer, or Windows Script Host.
What's wrong with the Windows Script Engine for JScript?
There is a flaw in the way the JScript scripting engine processes the script. It does not correctly size a buffer during a memory operation.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause code of the attacker's choice to run with user privileges on the system.
If I am not using Internet Explorer do I need the patch?
Yes. The vulnerability exists in the Windows Script Engine. Microsoft recommends all customers install the patch immediately.
How could an attacker exploit this vulnerability?
The attacker would need to construct a web page that contained specially formed script code. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page could launch the script and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerab
Re:Can bug affect hotmail or yahoo email?
by
johny_qst
·
· Score: 2, Informative
This affects all users who view HTML webpages with Internet Explorer or view HTML email on their windows box with an old version of Outlook or Outlook Express. If you are using another browser or email program you are still vulnerable if scripting is enabled. This is a problem with processing JScript. This is a problem for most M$ boxes. If using one please upgrade to another OS or update using windows update.
-- Fnord.sig
Windows Update not working?
by
mtcrowe
·
· Score: 5, Interesting
Has anyone tried to use Windows Update to grab this patch? I'm running WinXP at work and just tried to hit Windows Update to let it auto-magically determine which update(s) to send to me. However - it came back and said everything was already hunky dory, no patches available.
I checked www.microsoft.com/security and looked up the MS03-008 patch for XP. It had a Qfix number starting with 8. I then compared against the Qfixed installed in my add/remove programs listing and it wasn't there...
I'm wondering whether they forgot to include that patch on the WU site for WinXP users. Seems to me like that would be one of the most critical places to put it for all of the normal user-folk.
So, I manually downloaded and installed the "Js56en" patch on WinXP and it took.
As an aside - I was very concerned when MS announced the Windows Scripting Host functionality. My thinking at the time (and again now) is that they allow so many file types to be executed that there's just no way they can keep all of the bugs out of all of those interpreters. Figured it would just be a matter of time..
Wasn't this story posted last month... And the month before? And the week before that? And the month before...
I can't believe I read it here first
by
perp
·
· Score: 2, Interesting
From the advisory, which is now in my mailbox, (though it wasn't a few hours ago when I left work) Microsoft was initially notified last July, iDefense's (paying) clients were notified in January and we, the great unwashed, are just hearing about this now.
Actually the receptionist(!) at work forwarded me a news story about this from the local tabloid newspaper this afternoon, but the article was so non-technical that it was impossible to tell what exploit they were talking about (and there were no links), so I postponed looking into it until I heard more.
I read BugTraq religiously. Looks like I need to get another religion if I want to save my soul, let alone my ass. Fortunately, at our site, use of either IE or Outlook is punishable by a severe whacking, so we shouldn't be too badly off.
-- There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
Maybe this is a stupid question, but what is the point of enabling such feature as running executable code received in an e-mail? I know what everybody on Slashdot think (except for those 1337 H4X0RZ who find this useful). I just want to know the answer from inventor of this "feature".
Slashdot Mirror
WASHINGTON -- Microsoft Corp. on Wednesday warned about a serious flaw in almost every version of its popular Windows software that could allow hackers to seize control of a person's computer when victims read e-mails or visit Web sites.
Microsoft assessed the problem's urgency as critical, its highest level, and urged customers to download a free repairing patch immediately from its Web site, www.microsoft.com/security.
The company said it was unaware of any reports that hackers already had used the technique to break into computers, but the time between disclosure of a new flaw and such break-ins has become increasingly short.
Russ Cooper, a security expert for TruSecure Corp., based in Herndon, Va., predicted that antivirus software will be updated to protect users who might receive infected e-mails and that Web sites with infected pages would be shut down quickly once they are detected.
"I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."
The problem involves tricking Windows into processing unsafe code built into a Web page or e-mail message. It was particularly unusual because it affected so many different versions of Windows, from Windows 98 to its latest Windows XP editions.
There was some good news. Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails.
Older versions of Outlook would also be safe if customers had manually applied another security patch, which Microsoft released in 2000 after the spread of the damaging "ILOVEYOU" virus.
Microsoft said customers could manually adjust settings hidden deep within its Internet Explorer browsing software to prevent Windows from processing the dangerous code. Experts, however, said that was not easy to do for many users and that it would cripple convenient functions for many popular Web sites.
Top officials have decided to post it on Slashdot.
webpage
I thought Monday was the official MS patch day? As an MS admin I'm not expected to work two days a week, am I?
The Early Bird OS?
Sheesh, evil *and* a jerk. -- Jade
From an AP article:
"I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."
Russ Cooper is a security expert for TruSecure Corp., based in Herndon, Va.
There seems to be some disagreement on the exploitability of this.
Inconceivable!
Half the stories linked to are for the wrong vuln. I think they're supposed to be warning us about this one:
i ns/ms03-008.asp
http://www.microsoft.com/security/security_bullet
It is monday...time to patch my Windows Boxes... It is tuesday...time to patch my Linux boxes... It is hump day...time to patch my Windows Boxes again... Crap...what is Thursday gonna bring! And what is this gonna do to my loverly uptime!
Unstable Apps: Our Android Apps Don't Suck
I heard he smoked a fool over 20 bucks!
You might want to cover your Macintosh with a thin layer of paraffin, or place it in a plastic bag this week; that should deter any worms.
From the Microsoft security bulletin
---------------
How to Check Which Version You Have
If you are unsure whether a product you are running is affected by this issue, check the version.
To determine which version of Microsoft Windows you are running:
1. On the taskbar at the bottom of your screen, click Start, and then click Run.
2. In the Run dialog box, type: winver
3. Click OK.
A dialog box displays the version that you are running.
-------------
If it say "Microsoft " and something else, you are vulnerable.
lets guess at how many root name servers will go down this time.....weee!!!
xao
xao
http://TheHillforum.hopto.org
I just tried this and wanted to warn others:
YOU WON'T BE ABLE TO TELL THE VERSION FROM THIS!
Microsoft must be saying something wrong!!!
I got a window popping up, the title was "Sorry - KDesktop", and then "winver" and "Could not run the specified command!"
So it's not woring. QED.
my
Hey - me too!
(Defense, software, navy, RH6.2)
Who knows, maybe we sit at adjacent desks...
If that's the case, next time, will you fill
the friggen' coffee machine up when you take
the last cup?
T&K.
Political language
#1 is the WebDAV vulnerability, affecting IIS 5 on Win2k. This is the one used to corrupt the military web server in question, and is a very worm friendly (arbitrary remote execution) vulnerability. This is the most likely target of a worm, as it can be purely automatic (a'la slammer and Code Red), and gives full system access.
#2 is a script engine vulnerability, allowing an email message or web page to execute arbitrary code. Although good for mail worms, this is less autonomous-worm friendly: it's a good secondary way to cross a firewall, but users need to read the email to spread, making a slower worm, something in the ballpark of an auto-executing Klez: a pain but nothing catastrophic. It also runs as the user, not as sysem, making it a (somewhat) less valuable exploit when targeting Win2k/XP.
Both are serious vulnerabilities which require patching, however.
Test your net with Netalyzr
No, you are not crazy. These articles are all refering to the other MS issue this week: IIS's WebDAV remote buffer overflow attack.
There is, however, a new issue today. Use Windows Update. This new issue would allow operators of a malicious website to remote root your machine if you navigate to them. This applies to all (!) versions of Windows since Win98.
The worm-friendly bug is the old bug. So, technically speaking, this post is 100% dupe. It just happened to (luckily?) coincide with another MS security issue.
There are no trails. There are no trees out here.
I usually use a thumper to call Shai-Hulud.
Truth suffers from too much analysis.
Ancient Fremen Saying
This story isn't a week old. The postings for the advisories were issued on the 17th. The exploit has known to be out since last Wed.
I don't want knowledge. I want certainty. - Law, David Bowie
Walk without rhythm, and you won't attract the worm.
Shai-Hulud's a-coming!
From the "Mitigating Factors" section of Microsoft's bulletin:
- For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker.
They forgot some other mitigating factors, like:
- the user's machine would have to be connected to a source of AC power
etc.
http://developers.slashdot.org/
Microsoft Bug May Attract Big Worm
So there I was at a Halloween party. This woman dressed up as a giant insect walks up. I realise she has a Microsoft logo on the chest of her costume.
I was hooked.
"So," she asked "does me being a Microsoft Bug make your Big Worm want to come out and play?" I was flabbergasted.. There I was being asked this by the woman of my dreams and I was wearing a Tequila Bottle costume...
Trolling is a art,
If any of this does any good (outside of warning Windows admins). People who have used computers for twenty years still have no idea how these exploits and bugs work. They think that Kevin Mitnick can hack a computer with a telephone (ala Scanners) but don't think twice about double-clicking an email from "1337user@aol.com".
I sometimes think that education has been a problem, as all of these reports usually come with a verbose "what this does, what it doesn't, what you should do." So then I go on to think that it must be some sort of lethargy on the part of Joe End User. So then I think that a serious entrance learning curve would do the trick (i.e. stick every one on some old terminals).
But I think a threshold has been crossed. People now need to use computers. Colleges and businesses are going paperless, demanding a higher level of computer savvy... but all the while ignoring basic user compotence. Computer use is either "so simple a monkey could do it" or "impossible for anyone but geeks to understand". It's as if most users are satisfied to never understand how their "magic box" works.
This wouldn't bother me too much if it didn't seem that this same disease has seemingly infected a significant minority of admins out there (considering how ridiculously some of these viruses spread). Of course many of these seem to be (in my experience) non-CS academic types who "need" Unix workstations but are uninterested in protecting them.
What is music when you despise all sound?
I blame the asshats running the webiste I cut and pasted from. :(
Boobies never hurt anyone. - Sherry Glaser.
Russ Cooper, moderator of the NTBugTraq security list and a security expert for TruSecure Corp., seems to be contradicting himself in two stories on the same day (or is being misquoted). Make of this what you will...
This story quotes Cooper: "I do expect that in the next seven to 10 days we're going to see a worldwide wave" of attacks, probably via an Internet worm, Cooper said Wednesday. "And it will be effective."
And this story quotes Cooper: ""I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs.""
Technical details
Technical description:
The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript.
A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email.
Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the "Workarounds" section in the FAQ below.
Frequently asked questions:
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause code of his or her choice to be executed as though it originated on the local machine.
What causes the vulnerability?
The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll.
What is a scripting language?
Scripting languages can be used to add additional functionality to HTML web pages or operating systems. They can enable a web author to set and store variables, and work with data in the HTML code. For instance, a script can be used to check the version of the web browser a user is running, validate input, work with applets or controls, and communicate to the user.
In addition, scripts can be used in Windows to automate operating system tasks such as changing settings or mapping a network drive.
What is a scripting engine?
The Windows Scripting Engine serves as the component within Windows that interprets and executes script code written in scripting languages such as JScript or VBscript.
What is JScript?
JScript is the Microsoft implementation of the ECMA 262 language specification (ECMAScript Edition 3).
It is an interpreted, object-based scripting language. In general, JScript has fewer capabilities than full-fledged object-oriented languages like C++. Stand-alone applications cannot be written in JScript, for example. JScript scripts can run only in the presence of an interpreter or "host", such as Active Server Pages (ASP), Internet Explorer, or Windows Script Host.
What's wrong with the Windows Script Engine for JScript?
There is a flaw in the way the JScript scripting engine processes the script. It does not correctly size a buffer during a memory operation.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause code of the attacker's choice to run with user privileges on the system.
If I am not using Internet Explorer do I need the patch?
Yes. The vulnerability exists in the Windows Script Engine. Microsoft recommends all customers install the patch immediately.
How could an attacker exploit this vulnerability?
The attacker would need to construct a web page that contained specially formed script code. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page could launch the script and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerab
This affects all users who view HTML webpages with Internet Explorer or view HTML email on their windows box with an old version of Outlook or Outlook Express. If you are using another browser or email program you are still vulnerable if scripting is enabled. This is a problem with processing JScript. This is a problem for most M$ boxes. If using one please upgrade to another OS or update using windows update.
Fnord.sig
Has anyone tried to use Windows Update to grab this patch? I'm running WinXP at work and just tried to hit Windows Update to let it auto-magically determine which update(s) to send to me. However - it came back and said everything was already hunky dory, no patches available.
I checked www.microsoft.com/security and looked up the MS03-008 patch for XP. It had a Qfix number starting with 8. I then compared against the Qfixed installed in my add/remove programs listing and it wasn't there...
I'm wondering whether they forgot to include that patch on the WU site for WinXP users. Seems to me like that would be one of the most critical places to put it for all of the normal user-folk.
So, I manually downloaded and installed the "Js56en" patch on WinXP and it took.
As an aside - I was very concerned when MS announced the Windows Scripting Host functionality. My thinking at the time (and again now) is that they allow so many file types to be executed that there's just no way they can keep all of the bugs out of all of those interpreters. Figured it would just be a matter of time..
Wasn't this story posted last month... And the month before? And the week before that? And the month before...
From the advisory, which is now in my mailbox, (though it wasn't a few hours ago when I left work) Microsoft was initially notified last July, iDefense's (paying) clients were notified in January and we, the great unwashed, are just hearing about this now.
Actually the receptionist(!) at work forwarded me a news story about this from the local tabloid newspaper this afternoon, but the article was so non-technical that it was impossible to tell what exploit they were talking about (and there were no links), so I postponed looking into it until I heard more.
I read BugTraq religiously. Looks like I need to get another religion if I want to save my soul, let alone my ass. Fortunately, at our site, use of either IE or Outlook is punishable by a severe whacking, so we shouldn't be too badly off.
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
Maybe this is a stupid question, but what is the point of enabling such feature as running executable code received in an e-mail? I know what everybody on Slashdot think (except for those 1337 H4X0RZ who find this useful). I just want to know the answer from inventor of this "feature".
s/feature/bug/g if $OS=="Windows"
I remember it, it really was bad.