Researchers have discovered a medium-severity bug in Microsoft Windows. The bug allows remote attackers to execute arbitrary code. Microsoft has not yet issued a patch, even though the bug was first sent to Microsoft on January 23rd 2018.
Dmitri Kaslov of Telspace Systems was the researcher to initially discover the vulnerability. It exists within the handling of error objects in Jscript.
An advisory was posted on Zero Day Initiative, warning that CVE-2018-8267 “allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file”.
Brian Gorenc, director of ZDI, told Threatpost by email that it doesn’t appear that the vulnerability is being exploited in the wild – likely as the bug only constitutes one part of an overall attack.
“The flaw allows code execution within a sandboxed environment,” he explained. “An attacker would need additional exploits to escape the sandbox and execute their code on the target system. In all likelihood, this would be one step of an exploit chain. At Pwn2Own, we typically see several bugs combined together to make a complete exploit. Something similar would need to happen with this bug.”
As per the ZDI alert, the vulnerability does allow attackers to execute arbitrary code on certain installations of Windows. However, it requires user interaction: the target must be successfully manipulated into opening a malicious file or visiting a malicious page, which then executes the malicious Jscript onto their system.
The malfunction exists in Microsoft’s ECMAScript standard – the JScript component it uses in Internet Explorer. JScript is implemented as an active scripting engine, which is challenging because “by performing actions in script, an attacker can cause a pointer to be reused after it has been freed,” the advisory said. This would allow the attacker to then leverage the vulnerability to execute code under the current process’ context.
Despite the fact that the vulnerability is still unpatched, ZDI was able to disclose it publicly in accordance with its 120 day deadline for patching.
Apparently, Microsoft was in touch with ZDI in April saying it wasn’t able to reproduce the issue report without a proof-of-concept exploit; ZDI re-sent this to Microsoft who then requested an extension until May 8th. ZDI replied, “We have verified that we sent the POC with the original. The report will 0-day on May 29.”
Gorenc told Threatpost that a patch would be issued by Microsoft, but he is unsure if it will be included in June’s Patch Tuesday release or at a later date. “Until then, the only salient mitigation strategy is to restrict interaction with the application to trusted files,” he said.