The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Windows: code execution via VBScript/JScript

Synthesis of the vulnerability

An attacker can create a HTML page containing a VBScript/JScript script encoded in a malicious way in order to execute code on victim's computer.
Severity of this weakness: 4/4.
Creation date: 09/04/2008.
Références of this bulletin: 944338, BID-28551, CERTA-2008-AVI-193, CVE-2008-0083, MS08-022, VIGILANCE-VUL-7740.

Description of the vulnerability

VBScript and JScript scripts can be encoded to ensure that users cannot copy the code by looking at the source of the HTML page. Encoded scripts are decoded by VBScript.dll and JScript.dll.

However, when malformed data is decoded, a memory corruption can occur. This corruption leads to code execution.

An attacker can therefore create a HTML page containing a VBScript/JScript script encoded in a malicious way in order to execute code on victim's computer.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity weakness impacts software or systems such as Windows 2000, Windows 2003, Windows XP.

Our Vigil@nce team determined that the severity of this security vulnerability is critical.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this vulnerability bulletin.

Solutions for this threat

Windows: patch for VBScript/JScript.
A patch is available:

Windows 2000 SP4 - VBScript 5.1, JScript 5.1
  http://www.microsoft.com/downloads/details.aspx?FamilyID=8e3ff44f-145b-4a68-9ad4-4a55d74b216e
Windows 2000 SP4 - VBScript 5.6, JScript 5.6
  http://www.microsoft.com/downloads/details.aspx?FamilyID=8e3ff44f-145b-4a68-9ad4-4a55d74b216e
Windows XP SP2 - VBScript 5.6, JScript 5.6
  http://www.microsoft.com/downloads/details.aspx?FamilyID=c0124698-3b94-4474-9473-22a2f39a4a56
Windows XP Professional x64 Edition Gold, SP2 - VBScript 5.6 and JScript 5.6
  http://www.microsoft.com/downloads/details.aspx?FamilyID=87b80ae3-e299-4d15-a135-3b1bcf943652
Windows Server 2003 SP1, SP2 - VBScript 5.6, JScript 5.6
  http://www.microsoft.com/downloads/details.aspx?FamilyID=88518aa6-e334-4529-aa63-0bf2ef417ce3
Windows Server 2003 x64 Gold, SP2 - VBScript 5.6, JScript 5.6
  http://www.microsoft.com/downloads/details.aspx?FamilyID=12cefefc-8553-4dca-9850-c653371de61e
Windows Server 2003 Itanium Gold, SP2 - VBScript 5.6, JScript 5.6
  http://www.microsoft.com/downloads/details.aspx?FamilyID=fe22a828-cca4-4b51-bbd5-995c65fead21
The Microsoft announce indicates workarounds.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerabilities bulletin. The Vigil@nce vulnerability database contains several thousand vulnerabilities.