| VID |
26038 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The hotfix (Q814078) for the "Flaw in Windows Script Engine" is not applied.
The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or Jscript.
A security vulnerability exists in the way by which the Windows Script Engine for Jscript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email.
* References:
http://www.microsoft.com/technet/security/bulletin/ms03-008.asp
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* Platforms Affected:
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP |
| Recommendation |
Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS03-008, http://www.microsoft.com/technet/security/bulletin/ms03-008.asp |
| Related URL |
CVE-2003-0010 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
