Windows JScript Component Vulnerability Is Yet to Be Patched
NEWS

Windows JScript Component Vulnerability Is Yet to Be Patched

A flaw has been discovered in Windows’s JScript component. The vulnerability can lead to execution of malicious code on a vulnerable system, researchers warn.

More about the JScript Component Vulnerability

The JScript flaw was discovered by security researcher Dmitri Kaslov who gave it to Trend Micro’s Zero-Day Initiative (ZDI). The project is focused on intermediating vulnerability disclosure between independent researcher and companies. Note that the flaw is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

Related Story: CVE-2018-11235 Git Vulnerability – Microsoft Releases Patch

Why is that? ZDI experts reported the issue to Microsoft few months ago, in January, but Microsoft still hasn’t released a patch to address the bug. ZDI recently published a summary with some technical details regarding the flaw.

As stated by ZDI:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The vulnerability exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed, ZDI added. An attacker can leverage this flaw to execute code under the context of the current process.

More about the JScript Component

JScript is Microsoft’s dialect of the ECMAScript standard, used in Microsoft’s Internet Explorer. JScript is implemented as an Active Scripting engine meaning that it can be “plugged in” to OLE Automation applications that support Active Scripting, such as Internet Explorer, Active Server Pages, and Windows Script Host. In short, JScript component is Microsoft’s custom implementation of JavaScript.

Since the flaw affects this component, the user should be tricked (by the attacker) to access a malicious web page or download and execute a malicious JS file on his system. The file would be executed using the Windows Script Host, or wscript.exe.

Related Story: JavaScript SecureRandom() Function Exposes Bitcoin Wallets

Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files, ZDI researchers said.




Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...