Researchers have discovered a medium-severity Windows vulnerability that enables remote attackers to execute arbitrary code – and Microsoft hasn’t issued a patch yet.
The flaw, which was first discovered by Dmitri Kaslov of Telspace Systems, exists within the handling of error objects in JScript, according to a Tuesday advisory by Trend Micro’s Zero Day Initiative group.
In the good-news column, Brian Gorenc, director of ZDI, told Threatpost in an email that there is so far no indication that the vulnerability is being exploited in the wild — likely because, he explained, the bug would be only one part of a successful attack.
“The flaw allows code execution within a sandboxed environment,” he explained. “An attacker would need additional exploits to escape the sandbox and execute their code on the target system. In all likelihood, this would be one step of an exploit chain. At Pwn2Own, we typically see several bugs combined together to make a complete exploit. Something similar would need to happen with this bug.”
This vulnerability does allow remote attackers to execute arbitrary code on certain installations of Windows, according to an alert from ZDI. However, it’s mitigated by the fact that user interaction is required: The target must be tricked into visiting a malicious page or opening a malicious file, which then executes the malicious JScript on the system.
The glitch lies in Microsoft’s ECMAScript standard – its JScript component used in Internet Explorer. JScript in this case is implemented as an active scripting engine.
This is problematic because “by performing actions in script, an attacker can cause a pointer to be reused after it has been freed,” the advisory said. An attacker can then leverage the vulnerability to execute code under the context of the current process, according to ZDI.
The bug, which was first sent to Microsoft Jan. 23, 2018, is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. The bug has a CVSS score of 6.8, according to ZDI, making it of moderate severity.
In April, Microsoft reported to ZDI that it is was having difficulty reproducing the issue report without a proof-of-concept exploit; which ZDI then re-sent to Microsoft. Microsoft then requested an extension to May 8, to which ZDI replied, “We have verified that we sent the POC with the original. The report will 0-day on May 29.”
Gorenc told Threatpost that a patch is coming, but that he doesn’t know if it will be included in June’s Patch Tuesday release or later. “Until then, the only salient mitigation strategy is to restrict interaction with the application to trusted files,” he said.
Microsoft has not yet responded for a request for comment on this story; we’ll update the article if and when the software giant weighs in.