Kaslov disclosed the zero-day flaw through the Trend Micro Zero-Day Initiative (ZDI) back in January, then ZDI experts reported it to Microsoft.
After four months Microsoft has yet to roll out a patch to address the flaw so ZDI decided to publish a part of the technical analysis of the vulnerability.
ZDI usually waits 120 days before publicly disclose a flaw.
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the advisory published by ZDI.
“The specific flaw exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”
The vulnerability received a 6.8 rating out of 10 on the CVSSv2 severity scale.
To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page, or download and open a malicious JS file on the system.
The good news is that the vulnerability does not allow a full system compromise because attackers can execute malicious code only within a sandboxed environment.
Of course, an attacker can chain this vulnerability with a sandbox bypass exploit and then execute its own code on the target system.
Anyway, Microsoft is working on a security update
Below the timeline for the vulnerability:
01/23/18 – ZDI sent the vulnerability report to the vendor
01/23/18 – The vendor acknowledged and provided a case number
04/23/18 – The vendor replied that they were having difficulty reproducing the issue report without POC
04/24/18 – ZDI confirmed the POC was sent with the original and sent it again
05/01/18 – The vendor acknowledged receipt of the POC
05/08/18 – The vendor requested an extension
05/18/18 – ZDI replied “We have verified that we sent the POC with the original. The report will 0-day on May 29.”
ZDI confirmed that it is was not aware of attempts in the wild to exploit this vulnerability.
(Security Affairs – JScript component, zero-day)