Windows VBScript and JScript Scripting Engine Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1019799 |
|
SecurityTracker URL: http://securitytracker.com/id/1019799
|
|
CVE Reference:
CVE-2008-0083
(Links to External Site)
|
Updated: Aug 13 2008
|
Original Entry Date: Apr 8 2008
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2000 SP4, 2003 SP2, XP SP2; and prior service packs
|
Description:
A vulnerability was reported in the Windows VBScript and JScript Scripting Engines. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create specially crafted scripting code that, when loaded by the target user, will trigger a memory error and execute arbitrary code on the target system. The code will run with the privileges of the target user.
The code can be contained within a file or remote web site.
Peter Ferrie of Symantec reported this vulnerability.
|
Impact:
A remote user can create scripting code that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution:
The vendor has issued the following fixes:
Microsoft Windows 2000 Service Pack 4, VBScript 5.1 and JScript 5.1:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8e3ff44f-145b-4a68-9ad4-4a55d74b216e
Microsoft Windows 2000 Service Pack 4, VBScript 5.6 and JScript 5.6:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8e3ff44f-145b-4a68-9ad4-4a55d74b216e
Windows XP Service Pack 2, VBScript 5.6 and JScript 5.6:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c0124698-3b94-4474-9473-22a2f39a4a56
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, VBScript 5.6 and JScript 5.6:
http://www.microsoft.com/downloads/details.aspx?FamilyID=87b80ae3-e299-4d15-a135-3b1bcf943652
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, VBScript 5.6 and JScript 5.6:
http://www.microsoft.com/downloads/details.aspx?FamilyID=88518aa6-e334-4529-aa63-0bf2ef417ce3
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, VBScript 5.6 and JScript 5.6:
http://www.microsoft.com/downloads/details.aspx?FamilyID=12cefefc-8553-4dca-9850-c653371de61e
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems, VBScript 5.6 and JScript 5.6:
http://www.microsoft.com/downloads/details.aspx?FamilyID=fe22a828-cca4-4b51-bbd5-995c65fead21
A restart is required.
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms08-022.mspx
On August 12, 2008, Microsoft reported some issues where the security update may not be properly applied. The issues are described in a Knowledge Base article: http://support.microsoft.com/kb/944338
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms08-022.mspx (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 8 Apr 2008 15:02:28 -0400
Subject: Microsoft Security Bulletin MS08-022 Critical: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
|
http://www.microsoft.com/technet/security/bulletin/ms08-022.mspx
CVE-2008-0083
|
|
