Flaw lets malicious Web pages attack Windows
Published: 20 Mar 2003 09:21 GMT
A vulnerability in all versions of Windows could allow attackers to use a malicious Web site or HTML email message to trap victims and take control of their PCs, warned Microsoft.
The flaw in the scripting component of the operating system lets attackers run code through the scripting engine as if the program had been executed locally on a PC, allowing them to run their own programs or to take over the system. Microsoft labelled the flaw as critical in its announcement on Wednesday.
While the flaw can be found in every version of Windows -- from Windows 98 to Windows XP -- the potential danger is offset by two factors. First, security measures already in place in email clients are designed to defeat such HTML message attacks. Second, exploiting such flaws through Web pages requires that the person under attack actually visit the malicious site.
"The email vector is only a threat with an older version of Outlook," said Iain Mulholland, security program manager for Microsoft's security response centre. Mulholland added that it would be difficult to create a virus from the flaw. "It's blocked on later versions of Outlook," he said.
The vulnerability is the second major flaw announced by Microsoft this week. On Monday, the software giant warned that a previously unknown vulnerability in a component of its Internet Information Services (IIS) Server 5.0 had allowed hackers to compromise at least one customer's computer system. A representative of the US Army acknowledged on Tuesday that a military server -- but not an Army server -- had been the compromised computer.
The Windows flaw occurs in the way that the operating system handles JScript, its version of JavaScript language -- which itself is known more formally as ECMAScript Edition 3.
An attacker can exploit the vulnerability by either sending a specially crafted script to the potential victim in an email, or by including such a script on a Web site and somehow convincing the user to load the Web page into Internet Explorer.
Email clients and Internet browsers that don't allow scripts to be run will block the attack, Mulholland said. In addition, Outlook Express 6.0 and Outlook 2002 would not be vulnerable to an attack launched through HTML email, if the clients are run in their default configurations. Previous versions of Outlook would also not be vulnerable if the Outlook Email Security Update has been applied.
Patches for the various operating systems can be found on Microsoft's Web site and are available through Windows Update.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
69 out of 161 people found this useful
- Share this article:
