MS03-008: Flaw in Windows Script Engine may allow code to run

Article translations Article translations
Article ID: 814078 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

An attacker may exploit a vulnerability in Windows Script Engine by constructing a Web page that, when visited by a user, runs code of the attacker’s choice with user credentials. The attacker can host the Web page on a Web site or send the page directly to the user by e-mail.

CAUSE

This problem occurs because of a flaw in the way that Windows Script Engine for JScript processes information.

RESOLUTION

Windows XP service pack information

To resolve this problem, obtain the latest service pack for Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack

Update information

To resolve this problem, you can install an update. You must install the update that corresponds to the version of operating system that you are running, and to the version of JScript that you currently have installed. To determine the version of JScript that is installed, follow these steps:
  1. Click Start, click Run, type %windir%\system32, and then click OK.

    Note For Microsoft Windows 98 installations, type %windir%\system, and then click OK.
  2. In the system32 window, or in the System window if you are using Windows 98, locate the Jscript.dll file.
  3. Right-click the Jscript.dll file, and then click Properties.
  4. Click the Version tab.

    The file version is displayed in the first line of information that appears on the Version tab.
After you have determined the version of JScript that is installed, click the download link that is specific to your operating system version. Then, review the Instructions section on the download page for information about which version of the JScript security update you must install.

The following files are available for download from the Microsoft Download Center:
Windows XP and Windows 2000
Collapse this imageExpand this image
Download
Download the 814078 package now
Windows NT 4.0 and Windows NT 4.0, Terminal Server Edition
Collapse this imageExpand this image
Download
Download the 814078 package now
Windows Millennium Edition
Collapse this imageExpand this image
Download
Download the 814078 package now
Windows 98 Second Edition and Windows 98
Collapse this imageExpand this image
Download
Download the 814078 package now
Release Date: March 19, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

Collapse this tableExpand this table
Operating systemMinimum requirement
Windows XPWindows XP or Windows XP Service Pack 1 (SP1)
Windows 2000Windows 2000 SP2, or SP3
Windows NT 4.0 Terminal Server EditionWindows NT 4.0 TSE SP6
Windows NT 4.0Windows NT 4.0 SP6a
Windows Millennium Edition Windows Millennium Edition
Windows 98 Second Edition Windows 98 Second Edition
Windows 98Windows 98
For more information about how to obtain the latest Windows XP service pack, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
For more information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack

For more information about how to obtain the latest Windows NT 4.0 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to obtain the latest Windows NT 4.0 service pack

Installation information

This update supports the following Setup switches.
Collapse this tableExpand this table
SwitchDescription
/?Display the list of installation switches.
/qUse Quiet mode (no user interaction).
/t: full_pathThe temporary working folder.
/c Extract only. Use with /t.
/c: cmdOverride install command defined by author.
/rControl or force reboot. (See the following examples.)
For example, the following command line installs the update with very little user intervention and then does not prevent the computer from restarting:
js56nen /q /r:n
To install the update with very little user intervention and silently restart without prompting the user:
js56nen /q /r:s
Note The updated file will not be completely installed. Therefore, the security hole will still exist until the computer has been restarted. For more information about command line switches, click the following article number to view the article in the Microsoft Knowledge Base:
197147 Command-line switches for IExpress software update packages

Removal information

JScript is a system file and protected component and therefore cannot be removed.

Restart requirement

You must restart your computer after you apply this update.

Hotfix replacement information

This update does not replace any other updates.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Depending on the version of JScript installed (5.1, 5.5 or 5.6), one of the following files will be present in the %WINDIR%\System32 folder.
   Date         Time   Version     Size     File name
   -----------------------------------------------------
   13-Jan-2003  20:57  5.6.0.8513  589,881  Jscript.dll
   13-Jan-2003  18:53  5.5.0.8513  553,020  Jscript.dll
   14-Jan-2003  14:58  5.1.0.8513  487,481  Jscript.dll

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section.

Windows XP

This problem was first corrected in Microsoft Windows XP Service Pack 2.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-008.mspx
For more information about JScript, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/6974wx4d.aspx

Properties

Article ID: 814078 - Last Review: July 30, 2007 - Revision: 16.5
APPLIES TO
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98 Standard Edition
Keywords: 
atdownload kbwinxpsp2fix kbenv kbwin2000presp4fix kbsecvulnerability kbsecbulletin kbsecurity kbwinxppresp2fix kbfix kbbug KB814078

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com