20 March 2003 Microsoft has issued a ‘critical’ alert about a security flaw that affects all its client operating systems, from Windows 98 to Windows XP.

The flaw primarily involves JScript, Microsoft’s implementation of JavaScript, a scripting language devised by Netscape in the mid-1990s and commonly used to bring interactivity and other features to many web sites. However, it also affects Microsoft’s proprietary Visual Basic Script (VBScript) language.

The buffer overflow flaw can be exploited by an attacker by either sending an HTML-formatted email with the script to the target – assuming that they are running a Microsoft Outlook email client – or by building the script into a web site and enticing the victim to visit it.

When the script is executed, it can enable an attacker to take control of a user’s PC. But although Microsoft labelled the flaw as critical and advised users to patch their machines as a matter of urgency, it stressed that versions of Outlook that had been patched to protect against earlier vulnerabilities ought to be secure.

The security flaw is not the first to be issued by the software giant this week. On Monday, it also warned of a new vulnerability in its Internet Information Services (IIS) web server, which had been exploited by hackers in an attack on a US military server.

This attack and the disclosure by the US Army forced Microsoft to admit the flaw earlier than it would have liked. Microsoft has long argued that publicising security vulnerabilities before vendors have had a chance to distribute patches only plays into the hands of hackers.