Microsoft is investigating new public reports of a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer.
Our investigation has shown that the vulnerability cannot be exploited on Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008. The main impact of the vulnerability is remote code execution. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
- This vulnerability cannot be exploited on Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008.
- In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
- The vulnerability could not be exploited without user interaction, even if the user visited the malicious Web site. Instead, an attacker would need to persuade a user to press the F1 key on the keyboard while the Web site displays a scripted dialog box.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
- By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, removing the risk of an attacker being able to use this vulnerability to execute malicious code. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario. Additionally, Outlook 2007 uses a different component to render HTML e-mail, removing the risk of this exploit.
The security advisory discusses the following software.
|Microsoft Windows 2000 Service Pack 4|
|Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2|
|Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2|
|Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2|
|Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems Service Pack 2, Windows Server 2008 for Itanium-based Systems, Windows Server 2008 for Itanium-based Systems Service Pack 2, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for x64-based Systems Service Pack 2|
|Windows 7 for 32-bit Systems and Windows 7 for x64-based Systems|
|Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for Itanium-based Systems|
Review Microsoft Security Advisory 981169 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.
Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.
- Microsoft Security Advisory 981169- Vulnerability in VBScript Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/981169.mspx
- Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/
- Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/
- Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/
- Microsoft Security Development Lifecycle (SDL) Blog: http://blogs.msdn.com/sdl/