Microsoft Security Bulletin MS03-008 reports that a heap overflow flaw in the Windows Script Engine for Jscript (specifically, Jscript.dll) can allow an attacker to run arbitrary code on a vulnerable system if the user visits a Web page containing the malicious code or opens an HTML e-mail. Jscript, the Microsoft object-oriented version of the JavaScript (aka ECMAScript) scripting language, is an interpreted language, so it can run only in the presence of Active Server Pages, IE, or Windows Script Host. Since the Windows Script Engine is present even if IE is not in use, the use of a different Web browser offers no protection.

The security bulletin specifically lists the following versions of Windows as potentially being vulnerable to this flaw:

  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows Me
  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0 Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP

Risk level–critical
Microsoft rates this as a critical threat for all current versions of Windows because it can result in an attacker running virtually any code to compromise a system.

Mitigating factors
Systems that are properly configured to disable Internet Explorer active scripting are not vulnerable to this attack. Outlook Express 6.0 and Outlook 2002 will block this attack in their default configuration, but if modified they may not offer protection.

Outlook 98 and Outlook 2000 that have been locked down using the Outlook E-mail Security Update are also protected from this flaw.

A patch is available from Microsoft that will correct the improper input validation that results from this flaw. However, the patch cannot be uninstalled once you load it. Microsoft has also published the following workarounds for those who decide not to apply the patch immediately:

  • Disable active scripting in the Internet Zone of Internet Explorer (in Tools | Internet Options | Security) and add any trusted Web sites to the IE Trusted Zone so you can retain full functionality. Microsoft cautions that if you use this temporary workaround, you should be certain to add to the Trusted Zone because the patch requires the use of active scripting.
  • Knowledge base article 154036 covers problems with active content tools in Internet Explorer and explains how to temporarily disable support for active scripting in IE. Many Web sites use active scripting for much of their functionality so this should be considered a temporary measure.
  • Install the Outlook E-mail Security Update, which will eliminate only the automatic execution of this attack.

Final word
Considering that the patch in another recent Microsoft vulnerability (MS 03-007 for the critical WebDAV flaw) can cause systems to crash, it’s probably a safe bet that many administrators are going to be wary about applying any Microsoft security patch for a little while. In this case, those gun-shy administrators can opt to use one of the workarounds to mitigate the effects of the Windows Script Engine flaw.