SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows Script Engine Vendors:   Microsoft
Windows VBScript and JScript Scripting Engine Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019799
SecurityTracker URL:  http://securitytracker.com/id/1019799
CVE Reference:   CVE-2008-0083   (Links to External Site)
Updated:  Aug 13 2008
Original Entry Date:  Apr 8 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2000 SP4, 2003 SP2, XP SP2; and prior service packs
Description:   A vulnerability was reported in the Windows VBScript and JScript Scripting Engines. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted scripting code that, when loaded by the target user, will trigger a memory error and execute arbitrary code on the target system. The code will run with the privileges of the target user.

The code can be contained within a file or remote web site.

Peter Ferrie of Symantec reported this vulnerability.

Impact:   A remote user can create scripting code that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued the following fixes:

Microsoft Windows 2000 Service Pack 4, VBScript 5.1 and JScript 5.1:

http://www.microsoft.com/downloads/details.aspx?FamilyID=8e3ff44f-145b-4a68-9ad4-4a55d74b216e

Microsoft Windows 2000 Service Pack 4, VBScript 5.6 and JScript 5.6:

http://www.microsoft.com/downloads/details.aspx?FamilyID=8e3ff44f-145b-4a68-9ad4-4a55d74b216e

Windows XP Service Pack 2, VBScript 5.6 and JScript 5.6:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c0124698-3b94-4474-9473-22a2f39a4a56

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, VBScript 5.6 and JScript 5.6:

http://www.microsoft.com/downloads/details.aspx?FamilyID=87b80ae3-e299-4d15-a135-3b1bcf943652

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, VBScript 5.6 and JScript 5.6:

http://www.microsoft.com/downloads/details.aspx?FamilyID=88518aa6-e334-4529-aa63-0bf2ef417ce3

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, VBScript 5.6 and JScript 5.6:

http://www.microsoft.com/downloads/details.aspx?FamilyID=12cefefc-8553-4dca-9850-c653371de61e

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems, VBScript 5.6 and JScript 5.6:

http://www.microsoft.com/downloads/details.aspx?FamilyID=fe22a828-cca4-4b51-bbd5-995c65fead21

A restart is required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms08-022.mspx

On August 12, 2008, Microsoft reported some issues where the security update may not be properly applied. The issues are described in a Knowledge Base article: http://support.microsoft.com/kb/944338

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms08-022.mspx (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC