Windows flaw opens PCs to attack

A vulnerability that affects all versions of Microsoft's Windows operating system could allow attackers to run programs on a victim's PC.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

March 19, 2003 4:08 p.m. PT

2 min read

A vulnerability in all versions of Windows could allow attackers to use a malicious Web site or HTML e-mail message to trap victims and take control of their PCs, warned Microsoft.

The flaw in the scripting component of the operating system lets attackers run code through the scripting engine as if the program had been executed locally on a PC, allowing them to run their own programs or to take over the system. Microsoft labeled the flaw as critical in its announcement Wednesday.

While the flaw can be found in every version of Windows--from Windows 98 to Windows XP--the potential danger is offset by two factors. First, security measures already in place in e-mail clients are designed to defeat such HTML message attacks. Second, exploiting such flaws through Web pages requires that the person under attack actually visit the malicious site.

"The e-mail vector is only a threat with an older version of Outlook," said Iain Mulholland, security program manager for Microsoft's security response center. Mulholland added that it would be difficult to create a virus from the flaw. "It's blocked on later versions of Outlook," he said.

The vulnerability is the second major flaw announced by Microsoft this week. On Monday, the software giant warned that a previously unknown vulnerability in a component of its Internet Information Services (IIS) Server 5.0 had allowed hackers to compromise at least one customer's computer system. A representative of the U.S. Army acknowledged on Tuesday that a military server--but not an Army server--had been the compromised computer.

The Windows flaw occurs in the way that the operating system handles JScript, its version of JavaScript language--which itself is known more formally as ECMAScript Edition 3.

An attacker can exploit the vulnerability by either sending a specially crafted script to the potential victim in an e-mail, or by including such a script on a Web site and somehow convincing the user to load the Web page into Internet Explorer.

E-mail clients and Internet browsers that don't allow scripts to be run will block the attack, Mulholland said. In addition, Outlook Express 6.0 and Outlook 2002 would not be vulnerable to an attack launched through HTML e-mail, if the clients are run in their default configurations. Previous versions of Outlook would also not be vulnerable if the Outlook E-mail Security Update has been applied.

Patches for the various operating systems can be found on Microsoft's Web site and are available through Windows Update.