A vulnerability has been discovered in the Windows Operating System within the JScript Component, the vulnerability could allow the hackers to execute the malicious code in the Windows Operating System.
For an attacker to exploit the vulnerability they must first social engineer the user into visiting a malicious web page contains the exploit, or just download a malicious JS file on the system which is currently executed by the Windows Script Host.
“The specific flaw exists within the handling of Error objects in JScript,” ZDI experts explained. “By performing actions in [Jscript], an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”
Although the vulnerability exists it does not allow a full system compromise. The flaw only allows the execution of the code in a Sandbox environment. The vulnerability has got 6.8 rating out of 10 in the CVSSv2 severity scale which is classed as a medium risk vulnerability.
Microsoft intend to fix the issue however the company has so far been unable to provide a fix in the designated timelines. The zero day vulnerability initiative usually gives companies 120 days of grace period before the flaws are reported publicly. The company has reported that it had a hard time triggering the vulnerability because of the proof-of-concept code, a phase where the company lost 75% of its time while leaving the development team a small window to fix the issue.