Users of Microsoft Windows should install a security update issued by Microsoft on Wednesday, March 19th to protect their PCs from a serious vulnerability. Without the update, a hacker could potentially take over a computer running Microsoft Windows.

To compromise a remote PC, a hacker would either need to draw users to a malicious website or send users an HTML email. In either case the hacker would need to exploit a flaw in the Windows Script Engine to run programs on the remote computer.

Microsoft is calling this update critical. However, there are some mitigating factors for end users, says Microsoft:

• For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker.
• Computers configured to disable active scripting in Internet Explorer are not susceptible to this issue.
• Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges.
• Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update.

To download this update visit the following page: Microsoft Security Bulletin MS03-008 or use the Windows Update feature in your operating system.

On a separate issue, Microsoft has also release a security update for Microsoft ISA Server 2000. For more information on that vulnerability, visit: Microsoft Security Bulletin MS03-009

If you enjoyed this article, be sure to visit CanadaOne's article knowledge base for more informative articles.