Microsoft KB Archive/814078

= MS03-008: Flaw in Windows Script Engine may allow code to run =

Article ID: 814078

Article Last Modified on 7/30/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows Millennium Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows 98 Standard Edition

-





SYMPTOMS
An attacker may exploit a vulnerability in Windows Script Engine by constructing a Web page that, when visited by a user, runs code of the attacker’s choice with user credentials. The attacker can host the Web page on a Web site or send the page directly to the user by e-mail.



CAUSE
This problem occurs because of a flaw in the way that Windows Script Engine for JScript processes information.



Windows XP service pack information
To resolve this problem, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Update information
To resolve this problem, you can install an update. You must install the update that corresponds to the version of operating system that you are running, and to the version of JScript that you currently have installed. To determine the version of JScript that is installed, follow these steps:
 * 1) Click Start, click Run, type %windir%\system32, and then click OK.

Note For Microsoft Windows 98 installations, type %windir%\system, and then click OK.
 * 1) In the system32 window, or in the System window if you are using Windows 98, locate the Jscript.dll file.
 * 2) Right-click the Jscript.dll file, and then click Properties.
 * 3) Click the Version tab.

The file version is displayed in the first line of information that appears on the Version tab.

After you have determined the version of JScript that is installed, click the download link that is specific to your operating system version. Then, review the Instructions section on the download page for information about which version of the JScript security update you must install.

The following files are available for download from the Microsoft Download Center:

Windows XP and Windows 2000
Download the 814078 package now

Windows NT 4.0 and Windows NT 4.0, Terminal Server Edition
Download the 814078 package now

Windows Millennium Edition
Download the 814078 package now

Windows 98 Second Edition and Windows 98
Download the 814078 package now

Release Date: March 19, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
For more information about how to obtain the latest Windows XP service pack, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

For more information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

For more information about how to obtain the latest Windows NT 4.0 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

Installation information
This update supports the following Setup switches.

For example, the following command line installs the update with very little user intervention and then does not prevent the computer from restarting:

js56nen /q /r:n

To install the update with very little user intervention and silently restart without prompting the user:

js56nen /q /r:s

Note The updated file will not be completely installed. Therefore, the security hole will still exist until the computer has been restarted. For more information about command line switches, click the following article number to view the article in the Microsoft Knowledge Base:

197147 Command-line switches for IExpress software update packages

Removal information
JScript is a system file and protected component and therefore cannot be removed.

Restart requirement
You must restart your computer after you apply this update.

Hotfix replacement information
This update does not replace any other updates.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Depending on the version of JScript installed (5.1, 5.5 or 5.6), one of the following files will be present in the %WINDIR%\System32 folder.   Date         Time   Version     Size     File name -  13-Jan-2003  20:57  5.6.0.8513  589,881  Jscript.dll 13-Jan-2003 18:53  5.5.0.8513  553,020  Jscript.dll 14-Jan-2003 14:58  5.1.0.8513  487,481  Jscript.dll



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-008.mspx

For more information about JScript, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/6974wx4d.aspx

Additional query words: security_patch rollup js56nen.exe

Keywords: atdownload kbwinxpsp2fix kbenv kbwin2000presp4fix kbsecvulnerability kbsecbulletin kbsecurity kbwinxppresp2fix kbfix kbbug KB814078

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.