CVE-1999-0379

Vulnerability

Microsoft Taskpads, a feature provided by the Windows 98 Resource Kit, Windows 98 Resource Kit Sampler, and BackOffice Resource Kit (second edition), exposes certain methods that are incorrectly marked as "safe for scripting" [1]. This allows a remote web page to invoke executables on the visiting user's machine without permission. The affected products are not installed by default on Windows 95, Windows 98, or Windows NT.

Exploitation

An attacker hosts a malicious web page that calls the vulnerable Taskpads methods. When a user with an affected product installed visits the page, the attacker can execute arbitrary commands on the user's machine. No authentication or user interaction beyond visiting the page is required.

Impact

Successful exploitation allows the attacker to run executables with the privileges of the logged-on user. This can lead to full system compromise, including installation of malware, data theft, or further network propagation.

Mitigation

Microsoft released a patch (MS99-007) that removes the Taskpads functionality [1]. Affected customers should download and install the patch. As a workaround, users can avoid installing the affected Resource Kit products or refrain from browsing the web from machines where they are installed.