Microsoft Warns of Windows Script Engine Flaw

Microsoft Wednesday warned of a serious security flaw in the script engine of all versions of Windows that can be exploited to take control of vulnerable systems.

The software maker issued its eighth security alert on Wednesday with a
“critical” rating on a flaw that exists in the way by which the Windows
Script Engine for JScript processes information.

It cautioned that an attacker could exploit the hole by constructing a
Web page that, when visited by the user, would execute harmful code with the
user’s privileges. The web page could be hosted on a web site, or sent
directly to the user in e-mail.

Affected software include Windows 98, Windows 98 Second Edition, Windows
ME, Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000 and
Windows XP.

The problem was detected in the Windows Script Engine, which executes
script code to add functionality to web pages, or to automate tasks within
the OS or within a program.

For an attack to be successful, Microsoft said a vulnerable user would
have to visit a Web site under the attacker’s control or receive an HTML
e-mail from the attacker. Computers configured to disable active scripting
in Internet Explorer are not susceptible to the flaw. If an exploit is attempted via HTML e-mail, the company said it would be
averted by Outlook Express 6.0 and Outlook 2002 in their default
configurations, and by Outlook 98 and 2000 if used in conjunction with the
Outlook Email Security Update.

It is the second critical alert to come from the Redmond, Wash.-based
firm this week. Of the nine advisories issued this year, five carry a
“critical” rating. Late last year, the company promised to
limit the amount of critical advisories because of fears that too many
high-level alerts were creating a “cry wolf” situation.

Last year, more than half of Microsoft’s 72 vulnerability alerts were
tagged as “critical.”

Separately, Microsoft also warned of a flaw in the ISA Server DNS
Intrusion Detection filter that could lead to denial-of-service attacks . That vulnerability carries a “moderate” rating.

The company issued a patch (download location here) for the flaw, which exists because
the DNS intrusion detection application filter does not properly handle a
specific type of request when scanning incoming DNS requests.

“An attacker could exploit the vulnerability by sending a specially
formed request to an ISA Server computer that is publishing a DNS server,
which could then result in a denial of service to the published DNS server.
DNS requests arriving at the ISA Server would be stopped at the firewall,
and not passed through to the internal DNS server. All other ISA Server
functionality would be unaffected,” the company warned.