A flaw has been discovered in Windows’s JScript component. The vulnerability can lead to execution of malicious code on a vulnerable system, researchers warn.
More about the JScript Component Vulnerability
The JScript flaw was discovered by security researcher Dmitri Kaslov who gave it to Trend Micro’s Zero-Day Initiative (ZDI). The project is focused on intermediating vulnerability disclosure between independent researcher and companies. Note that the flaw is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.
Why is that? ZDI experts reported the issue to Microsoft few months ago, in January, but Microsoft still hasn’t released a patch to address the bug. ZDI recently published a summary with some technical details regarding the flaw.
As stated by ZDI:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The vulnerability exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed, ZDI added. An attacker can leverage this flaw to execute code under the context of the current process.
More about the JScript Component
JScript is Microsoft’s dialect of the ECMAScript standard, used in Microsoft’s Internet Explorer. JScript is implemented as an Active Scripting engine meaning that it can be “plugged in” to OLE Automation applications that support Active Scripting, such as Internet Explorer, Active Server Pages, and Windows Script Host. In short, JScript component is Microsoft’s custom implementation of JavaScript.
Since the flaw affects this component, the user should be tricked (by the attacker) to access a malicious web page or download and execute a malicious JS file on his system. The file would be executed using the Windows Script Host, or wscript.exe.
Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files, ZDI researchers said.