• Article

Security Bulletin

Microsoft Security Bulletin MS03-008 - Critical

Flaw in Windows Script Engine Could Allow Code Execution (814078)

Published: March 19, 2003 | Updated: September 04, 2003

Version: 1.4

Originally posted: March 19, 2003
Updated: September 4, 2003

Summary

Who should read this bulletin: Customers using Microsoft® Windows®.

Impact of vulnerability: Run Code of Attacker's Choice

Maximum Severity Rating: Critical

Recommendation: Customers should install the patch immediately.

End User Bulletin: An end user version of this bulletin is available at: https:.

Affected Software:

  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows Me
  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0 Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP

General Information

Technical details

Technical description:

The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript.

A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email.

Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the "Workarounds" section in the FAQ below.

Mitigating factors:

  • For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker.
  • Computers configured to disable active scripting in Internet Explorer are not susceptible to this issue.
  • Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges.
  • Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update.

Severity Rating:
Windows 98 Critical
Windows 98 Second Edition Critical
Windows Me Critical
Windows NT 4.0 Critical
Windows NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0010

Tested Versions:

Microsoft tested Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause code of his or her choice to be executed as though it originated on the local machine.

What causes the vulnerability?
The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll.

What is a scripting language?
Scripting languages can be used to add additional functionality to HTML web pages or operating systems. They can enable a web author to set and store variables, and work with data in the HTML code. For instance, a script can be used to check the version of the web browser a user is running, validate input, work with applets or controls, and communicate to the user. In addition, scripts can be used in Windows to automate operating system tasks such as changing settings or mapping a network drive.

What is a scripting engine?
The Windows Scripting Engine serves as the component within Windows that interprets and executes script code written in scripting languages such as JScript or VBscript.

What is JScript?
JScript is the Microsoft implementation of the ECMA 262 language specification (ECMAScript Edition 3). It is an interpreted, object-based scripting language. In general, JScript has fewer capabilities than full-fledged object-oriented languages like C++. Stand-alone applications cannot be written in JScript, for example. JScript scripts can run only in the presence of an interpreter or "host", such as Active Server Pages (ASP), Internet Explorer, or Windows Script Host.

What's wrong with the Windows Script Engine for JScript?
There is a flaw in the way the JScript scripting engine processes the script. It does not correctly size a buffer during a memory operation.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause code of the attacker's choice to run with user privileges on the system.

If I am not using Internet Explorer do I need the patch?
Yes. The vulnerability exists in the Windows Script Engine. Microsoft recommends all customers install the patch immediately.

How could an attacker exploit this vulnerability?
The attacker would need to construct a web page that contained specially formed script code. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page could launch the script and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerability. In the HTML mail scenario, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail.

What does the patch do?
The patch addresses the vulnerability by carrying out proper input validation on the affected JScript function.

Workarounds

Are there any workarounds that can be used to block exploitation of this vulnerability while I am testing or evaluating the patch?
Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to help prevent the vector used to exploit this vulnerability in the interim. It should be noted that these workarounds should be considered temporary measures as they simply help block paths of attack rather than correcting the underlying vulnerability. The following sections are intended to provide you with information to protect your computer from attack. Each section describes the workarounds that you may wish to use depending on your computer's configuration.

  • Turn off Active Scripting support in Internet Explorer

    You can turn off support for active scripting by performing the steps in the following knowledge base article: </https:>https: Note that disabling scripting support in Internet Explorer will affect the functionality of many websites on the Internet and should be considered a temporary workaround only.

  • Install the Outlook Email Security Update if needed

    In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail. In both the web based and e-mail based cases, any limitations on the user's privileges would also restrict the capabilities of the attacker's script.

  • Restrict websites to only your trusted websites

    As another workaround for this issue, you can add sites that you trust to the Internet Explorer Trusted Zone, after disabling Active Scripting in the Internet Zone. This will allow you to continue using trusted web sites exactly as you do today, while tightening the restrictions on untrusted sites. When you are able to deploy the patch, you'll be able to re-enable Active Scripting in the Internet Zone. To do this, perform the following steps:

    • Select "Tools," then "Internet Options." Click the "Security" tab.
    • In the box labeled "Select a Web content zone to specify its current security settings," click "Trusted Sites," then click "Sites."
    • If you want to add sites that don't require a secure connection, de-select the checkbox at the bottom that says "Require server verification (https:) for all sites in this zone."
    • In the box labeled "Add this Web Site to the zone:," type the URL of a site that you trust, then click the "Add" button. Repeat for each site that you want to add to the zone.
    • Click on OK twice to accept the changes and return to IE.

    Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is https://windowsupdate.microsoft.com. This is the site that hosts the patch, and it requires Active Scripting in order to install the patch. Note that there's generally a trade-off between ease-of-use and security; by selecting a high-security configuration, you could make it extremely unlikely that a malicious web site could take action against you, but at the cost of missing a lot of rich functionality. The appropriate balance between security and ease-of-use is different for everyone, and you should pick a configuration that fits your needs. The good news is that it's easy to change your configuration, and you can try different configurations until you find the right one for you until you can install the patch.

Patch availability

Download locations for this patch

The patches for all Windows systems are available via Windows Update. In addition, these patches are also available for download to allow the patches to be manually installed.

Additional information about this patch

Installation platforms:

  • The Window 98 patch can be installed on systems running Windows 98 Gold.
  • The Window 98SE patch can be installed on systems running Windows 98SE Gold.
  • The Windows Me patch can be installed on systems running Windows Me Gold.
  • The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
  • The Windows NT 4.0 Terminal Server Edition patch can be installed on systems running Windows NT 4.0 Terminal Server Edition Service Pack 6.
  • The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.
  • The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 4 and Windows XP Service Pack 2.

Reboot needed: Yes

Patch can be uninstalled: No

Superseded patches: None.

Verifying patch installation: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

  • Windows 98, Windows 98SE and Window Me:

    To verify that the patch has been installed on the machine consult the file manifest in Knowledge Base article Q814078.

  • Windows NT 4.0:

    To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article Q814078 are present on the system.

  • Windows NT 4.0 Terminal Server Edition:

    To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article Q814078 are present on the system.

  • Windows 2000:

    The English version of this fix has the file attributes (or later) that are listed below. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

    The following file is copied to the %WINDIR%\System32 folder.

    File name: Jscript.dll

    Date: 14-Jan-2003

    Time: 16:59

    Version: 5.1.0.8513

    Size: 487,481

  • Windows XP:

    The English version of this fix has the file attributes (or later) that are listed below. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

    The following file is copied to the %WINDIR%\System32 folder.

    File name: Jscript.dll

    Date: 13-Jan-2003

    Time: 20:57

    Version: 5.6.0.8513

    Size: 589,881

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Support:

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (March 19, 2003): Bulletin Created.
  • V1.1 (March 21, 2003): Corrected patch verification instructions in the Additional Information section.
  • V1.2 (May 12, 2003): Updated file version information in the Additional Information section.
  • V1.3 (July 08, 2003): Updated file version information in the Additional Information section.
  • V1.4 (September 04, 2003): Corrected bulletin severity matrix.

Built at 2014-04-18T13:49:36Z-07:00 </https:>