JavaScript Component of Windows found Remote Code Execution Vulnerability

JavaScript (/ˈdʒɑːvəˌskrɪpt/), often abbreviated as JS, is a high-level, interpreted programming language. It is a language which is also characterized as dynamic, weakly typed, prototype-based and multi-paradigm.

JavaScript enables interactive web pages and thus is an essential part of web applications. The vast majority of websites use it, and all major web browsers have a dedicated JavaScript engine to execute it.

A vulnerability exists in the Windows operating system’s JavaScript component that can allow an attacker to execute malicious code on a user’s computer.

Responsible for discovering this bug is Dmitri Kaslov of Telspace Systems, who passed it along to Trend Micro’s Zero-Day Initiative (ZDI), a project that intermediates the vulnerability disclosure process between independent researchers and larger companies.

ZDI experts reported the issue to Microsoft back in January, but Microsoft has yet to release a patch for this vulnerability. Yesterday, ZDI published a summary containing light technical details about the bug.

JavaScript bug leads to RCE

According to this summary, the vulnerability allows remote attackers to execute malicious code on users’ PCs.

Because the vulnerability affects the JavaScript component (Microsoft custom implementation of JavaScript), the only condition is that the attacker must trick the user into accessing a malicious web page, or download and open a malicious JS file on the system (typically executed via the Windows Script Host —wscript.exe).

“The specific flaw exists within the handling of Error objects in JScript,” ZDI experts explained. “By performing actions in [Javascript], an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

“Due to the sensitivity of the bug, we don’t want to provide too many technical details until a full fix from Microsoft is available,” Brian Gorenc, director of Trend Micro’s Zero Day Initiative, told Bleeping Computer in an email today.

Flaw does not lead to full system compromise

Gorenc told us the vulnerability is not as dangerous as it sounds, as it does not allow a full system compromise.

“The flaw only allows code execution within a sandboxed environment,” Gorenc said. “An attacker would need additional exploits to escape the sandbox and execute their code on the target system.”

The vulnerability has received a 6.8 rating out of 10 on the CVSSv2 severity scale, which is a pretty high score, when compared to most vulnerabilities.

Microsoft is working on a patch

According to Gorenc, a patch is coming. “To the best of our knowledge, Microsoft does still intend to release a fix for this bug. However, they did not complete the fix within the timelines set out in our disclosure policy.”

ZDI usually gives companies 120 days to patch reported flaws before they go public with their advisories. According to a timeline of Microsoft’s replies, the OS maker had a hard time reproducing the proof-of-concept code needed to trigger the vulnerability, losing around 75% of the 120 disclosure timeline, leaving its engineers little time to put together and test a patch in time for May’s Patch Tuesday.

While Microsoft did not provide an exact timeline of when it plans to roll out a patch, a spokesperson confirmed they are working on a fix.