The security bulletin specifically lists the following versions of Windows as potentially being vulnerable to this flaw:
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP
Microsoft rates this as a critical threat for all current versions of Windows because it can result in an attacker running virtually any code to compromise a system.
Systems that are properly configured to disable Internet Explorer active scripting are not vulnerable to this attack. Outlook Express 6.0 and Outlook 2002 will block this attack in their default configuration, but if modified they may not offer protection.
Outlook 98 and Outlook 2000 that have been locked down using the Outlook E-mail Security Update are also protected from this flaw.
A patch is available from Microsoft that will correct the improper input validation that results from this flaw. However, the patch cannot be uninstalled once you load it. Microsoft has also published the following workarounds for those who decide not to apply the patch immediately:
- Disable active scripting in the Internet Zone of Internet Explorer (in Tools | Internet Options | Security) and add any trusted Web sites to the IE Trusted Zone so you can retain full functionality. Microsoft cautions that if you use this temporary workaround, you should be certain to add windowsupdate.microsoft.com to the Trusted Zone because the patch requires the use of active scripting.
- Knowledge base article 154036 covers problems with active content tools in Internet Explorer and explains how to temporarily disable support for active scripting in IE. Many Web sites use active scripting for much of their functionality so this should be considered a temporary measure.
- Install the Outlook E-mail Security Update, which will eliminate only the automatic execution of this attack.
Considering that the patch in another recent Microsoft vulnerability (MS 03-007 for the critical WebDAV flaw) can cause systems to crash, it’s probably a safe bet that many administrators are going to be wary about applying any Microsoft security patch for a little while. In this case, those gun-shy administrators can opt to use one of the workarounds to mitigate the effects of the Windows Script Engine flaw.