Expert found a zero-day RCE in Microsoft Windows JScript component
30.5.18 securityaffairs Vulnerebility
Dmitri Kaslov, a security researcher at Telspace Systems, discovered a vulnerability in the JScript component of the Windows operating system that can be exploited by an attacker to execute malicious code on a target computer.
Kaslov disclosed the zero-day flaw through the Trend Micro Zero-Day Initiative (ZDI) back in January, then ZDI experts reported it to Microsoft.
After four months Microsoft has yet to roll out a patch to address the flaw so ZDI decided to publish a part of the technical analysis of the vulnerability.
ZDI usually waits 120 days before publicly disclose a flaw.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. reads the advisory published by ZDI.
The specific flaw exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.
The vulnerability received a 6.8 rating out of 10 on the CVSSv2 severity scale.
Microsoft Windows JScript component
To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page, or download and open a malicious JS file on the system.
The good news is that the vulnerability does not allow a full system compromise because attackers can execute malicious code only within a sandboxed environment.
Of course, an attacker can chain this vulnerability with a sandbox bypass exploit and then execute its own code on the target system.
Anyway, Microsoft is working on a security update
Below the timeline for the vulnerability:
01/23/18 ZDI sent the vulnerability report to the vendor
01/23/18 The vendor acknowledged and provided a case number
04/23/18 The vendor replied that they were having difficulty reproducing the issue report without POC
04/24/18 ZDI confirmed the POC was sent with the original and sent it again
05/01/18 The vendor acknowledged receipt of the POC
05/08/18 The vendor requested an extension
05/18/18 ZDI replied We have verified that we sent the POC with the original. The report will 0-day on May 29.
ZDI confirmed that it is was not aware of attempts in the wild to exploit this vulnerability.