MS-ISAC ADVISORY NUMBER:
2008-012
DATE(S) ISSUED:
4/8/2008
SUBJECT:
Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution
OVERVIEW:
To enhance the user experience when visiting web sites, web pages may use applications developed with a programming language called VBScript or JScript.
A vulnerability exists in the way VBScript and JScript render web pages which, if exploited, could allow a remote attacker to take complete control of an affected system. This vulnerability can be exploited if a user visits a specifically crafted web page or e-mail that contains a specially crafted script. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.
SYSTEMS AFFECTED:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 2
- Windows XP Professional x64
- Windows XP Professional x64 Service Pack 2
- Windows Server 2003 Service Pack 1
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1 for Itanium-based Systems
- Windows Server 2003 Service Pack 2 for Itanium-based Systems
- VBScript 5.1
- VBScript 5.6
- JScript 5.1
- JScript 5.6
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home users: High
DESCRIPTION:
A vulnerability exists in the way VBScript and JScript scripting
engines decode script in web pages which could allow a remote attacker to
take complete control of an affected system.
Scripting is used in web pages and sever-side active server pages (.ASP) to add features to web sites. These scripts are encoded to make it difficult for users to read the scripts that are embedded in the web page. When the script needs to run, the scripting engine decodes the script and loads it into memory.
This vulnerability can be exploited if a user visits a specifically crafted web page, or receives an HTML e-mail, that is running a specially crafted script. Successful exploitation could allow an attacker to execute arbitrary code on the system. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.
Systems with Internet Explorer 7, which is delivered with VBScript.dll version 5.7 and Jscript.dll version 5.7, are not affected by this vulnerability.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate patches provided by Microsoft to vulnerable systems
immediately after appropriate testing. The patch is available at: http://www.microsoft.com/technet/security/bulletin/ms08-022.mspx
- Do not visit unknown or un-trusted websites or follow links provided by unknown or un-trusted sources.
- Read all e-mail messages in plain text.
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-022.mspx
http://support.microsoft.com/kb/240797
SecurityFocus:
http://www.securityfocus.com/bid/28551
This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.
-