Expert found a zero-day RCE in Microsoft Windows JScript component

Dmitri Kaslov, a security researcher at Telspace Systems, discovered a vulnerability in the JScript component of the Windows operating system that can be exploited by an attacker to execute malicious code on a target computer.

Kaslov disclosed the zero-day flaw through the Trend Micro Zero-Day Initiative (ZDI) back in January, then ZDI experts reported it to Microsoft.

After four months Microsoft has yet to roll out a patch to address the flaw so ZDI decided to publish a part of the technical analysis of the vulnerability.

ZDI usually waits 120 days before publicly disclose a flaw.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the advisory published by ZDI.

“The specific flaw exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

The vulnerability received a 6.8 rating out of 10 on the CVSSv2 severity scale.

To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page, or download and open a malicious JS file on the system.

The good news is that the vulnerability does not allow a full system compromise because attackers can execute malicious code only within a sandboxed environment.

Of course, an attacker can chain this vulnerability with a sandbox bypass exploit and then execute its own code on the target system.

Anyway, Microsoft is working on a security update

Below the timeline for the vulnerability:

01/23/18 – ZDI sent the vulnerability report to the vendor
01/23/18 – The vendor acknowledged and provided a case number
04/23/18 – The vendor replied that they were having difficulty reproducing the issue report without POC
04/24/18 – ZDI confirmed the POC was sent with the original and sent it again
05/01/18 – The vendor acknowledged receipt of the POC
05/08/18 – The vendor requested an extension
05/18/18 – ZDI replied “We have verified that we sent the POC with the original. The report will 0-day on May 29.”

ZDI confirmed that it is was not aware of attempts in the wild to exploit this vulnerability.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – JScript component, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]