New Windows Zero-Day JScript Distant Code Execution Susceptibility Exposed

June 6, 2018


A different Windows zero-day distant code execution mistake has been known. The mistake is in Microsoft’s ECMAScript standard and influences the Jscript part of Internet Explorer and the way Windows deals with error stuff in JScript.

The weakness has been given a medium harshness with a CVSS V3 ranking of 6.8. The weakness was first known in January by Telspace Systems safety scientist Dmitri Kaslov. It has now been over 120 days since the weakness was revealed to Microsoft. Therefore, details of the mistake are now being issued even though Microsoft has yet to issue a piece for the mistake.

Microsoft was having trouble duplicating the problem without a proof-of-concept (POC) exploit, even though the Zero Day Initiative (ZDI) did verify that Microsoft had obtained a POC exploit and disliked this in April.

Microsoft applied for a postponement to tackle the mistake, which was provided, even though the cutoff date was elapsed on May 29. Microsoft is projected to issue a piece, though it is presently unclear when that will be. It doesn’t seem that the weakness is presently being abused in the wild.

By itself, the mistake would be unlikely to be used to attack companies because the weakness should be exploited in a sandboxed setting, so other activities would also need to be used to avoid the sandbox.

Although the mistake would let distant code execution, some user communication is needed. The attacker would have to persuade a user to visit a specifically created webpage where malevolent JScript is executed.

The weakness is being followed as CVE-2018-8267. As per ZDI, “By carrying out actions in writing, an attacker can cause a pointer to be used once more after it has been freed. An attacker can control this weakness to execute code under the setting of the existing procedure.”

ZDI informs “the only main alleviation plan is to limit interaction with the application to trusted documents.”