A new Windows zero day remote code execution flaw has been identified. The flaw is present in Microsoft’s ECMAScript standard and affects the Jscript component of Internet Explorer and the way Windows handles error objects in Jscript.
The vulnerability has been given a medium severity with a CVSS V3 rating of 6.8. The vulnerability was first identified in January by Telspace Systems security researcher Dmitri Kaslov. It has now been more than 120 days since the vulnerability was disclosed to Microsoft. Consequently, details of the flaw are now being released even though Microsoft has yet to release a patch for the flaw.
Microsoft was having difficulty reproducing the issue without a proof-of-concept (POC) exploit, although the Zero Day Initiative (ZDI) did confirm that Microsoft had received a POC exploit and resent this in April.
Microsoft requested an extension to address the flaw, which was provided, although the deadline was passed on May 29. Microsoft is expected to release a patch, although it is currently unclear when that will be. It does not appear that the vulnerability is currently being exploited in the wild
By itself the flaw would be unlikely to be used to attack organizations as the vulnerability needs to be exploited in a sandboxed environment, so other exploits would also need to be used to escape the sandbox.
While the flaw would allow remote code execution, some user interaction is required. The attacker would need to convince a user to visit a specially crafted webpage where malicious JScript is executed.
The vulnerability is being tracked as CVE-2018-8267. According to ZDI, “By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”
ZDI reports “the only salient mitigation strategy is to restrict interaction with the application to trusted files.”