And after four months,MicrosoftOnly officially released an update patch to fix this vulnerability.
ZDI usually waits 120 days or so before it reveals the details of the related vulnerabilities, according to the official security announcement issued by ZDI:
"This vulnerability allows an attacker to execute arbitrary code on the target Windows host. In exploiting this vulnerability, the attacker needs to find ways to interact with the user and allow them to access a malicious page or open a malicious file. This is caused by improper handling of the Error object by Jscript.By executing malicious code in the script file, the attacker can reuse the target pointer after the pointer is released. Therefore, the attacker will be able to exploit this vulnerability to execute arbitrary code in the current process environment. ."
Currently, the CVSSv2 severity rating for this vulnerability is assessed as 6.8 (10).
In exploiting this vulnerability, the attacker needs to trick the user into accessing a specific malicious Web page, or download and open a malicious JS file on the host.
The good news is that this vulnerability does not help the attacker gain full control of the target host, because the attacker can only execute their malicious code in the sandbox environment. Of course, the attacker can also combine other sandboxes to bypass the technology and execute their malicious code in the target host environment.
In any case, the Microsoft team is working hard to solve this problem. Please do not worry too much.
January 23, 2018: ZDI submits vulnerability information to the vendor;
January 23, 2018: The manufacturer got vulnerability information and assigned an event number;
April 23, 2018: The manufacturer replied that it was difficult for them to reproduce the vulnerability without PoC;
April 24, 2018: ZDI re-sends the latest PoC;
May 01, 2018: The manufacturer received the PoC;
May 08, 2018: Manufacturers demand additional PoC extensions;
May 29, 2018: ZDI decided to release information on this 0-day vulnerability on May 29.
ZDI said that at present, no attacker has observed the use of this vulnerability in real scenarios.