RealTime IT News

Microsoft Warns of Windows Script Engine Flaw

Microsoft Wednesday warned of a serious security flaw in the script engine of all versions of Windows that can be exploited to take control of vulnerable systems.

The software maker issued its eighth security alert on Wednesday with a "critical" rating on a flaw that exists in the way by which the Windows Script Engine for JScript processes information.

It cautioned that an attacker could exploit the hole by constructing a Web page that, when visited by the user, would execute harmful code with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in e-mail.

Affected software include Windows 98, Windows 98 Second Edition, Windows ME, Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000 and Windows XP.

The problem was detected in the Windows Script Engine, which executes script code to add functionality to web pages, or to automate tasks within the OS or within a program.

For an attack to be successful, Microsoft said a vulnerable user would have to visit a Web site under the attacker's control or receive an HTML e-mail from the attacker. Computers configured to disable active scripting in Internet Explorer are not susceptible to the flaw. If an exploit is attempted via HTML e-mail, the company said it would be averted by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update.

It is the second critical alert to come from the Redmond, Wash.-based firm this week. Of the nine advisories issued this year, five carry a "critical" rating. Late last year, the company promised to limit the amount of critical advisories because of fears that too many high-level alerts were creating a "cry wolf" situation.

Last year, more than half of Microsoft's 72 vulnerability alerts were tagged as "critical."

Separately, Microsoft also warned of a flaw in the ISA Server DNS Intrusion Detection filter that could lead to denial-of-service attacks . That vulnerability carries a "moderate" rating.

The company issued a patch (download location here) for the flaw, which exists because the DNS intrusion detection application filter does not properly handle a specific type of request when scanning incoming DNS requests.

"An attacker could exploit the vulnerability by sending a specially formed request to an ISA Server computer that is publishing a DNS server, which could then result in a denial of service to the published DNS server. DNS requests arriving at the ISA Server would be stopped at the firewall, and not passed through to the internal DNS server. All other ISA Server functionality would be unaffected," the company warned.