Recently, Dmitri Kaslov, a security researcher at Telspace Systems, discovered a serious security hole in the JScript component of the Windows operating system that would allow an attacker to execute malicious code on the target host. In January of this year, Kaslov discovered the zero-day vulnerability through the Trend Micro Zero-Day Initiative (ZDI) service and reported the vulnerability information to the Microsoft team through ZDI's security experts.
After four months, Microsoft officially released an update patch to fix this vulnerability.
ZDI usually waits 120 days or so before it reveals the details of the related vulnerabilities, according to the official security announcement issued by ZDI:
The vulnerability allows an attacker to execute arbitrary code on the target Windows host. In exploiting this vulnerability, an attacker needs to find ways to interact with the user and allow them to access a malicious page or open a malicious file. This vulnerability is due to JScript's improper handling of Error objects. By executing malicious code in the script file, the attacker can reuse the target pointer after the pointer is released. Therefore, an attacker will be able to exploit this vulnerability to execute arbitrary code in the current process environment. ”
Currently, the CVSSv2 severity rating for this vulnerability is assessed as 6.8 (10).
In exploiting this vulnerability, an attacker needs to trick the user into accessing a specific malicious Web page, or download and open a malicious JS file on the host.
The good news is that this vulnerability does not help the attacker gain full control of the target host, because the attacker can only execute their malicious code in the sandbox environment. Of course, the attacker can also combine other sandboxes to bypass the technology and execute their malicious code in the target host environment.
In any case, the Microsoft team is working hard to solve this problem. Please do not worry too much.
January 23, 2018: ZDI submits vulnerability information to the vendor;
January 23, 2018: The vendor got vulnerability information and assigned an event number;
April 23, 2018: Vendors replied that it was difficult for them to reproduce the vulnerability without a PoC;
April 24, 2018: ZDI re-sends the latest PoC;
May 01, 2018: The manufacturer received PoC;
May 08, 2018: Vendors request additional PoC extensions;
May 29, 2018: ZDI decides to release information on this 0 day vulnerability on May 29th.
ZDI said that at present, no attacker has observed the use of this loophole in real world scenarios.