A vulnerability exists in the Windows operating system's JScript component that can allow an attacker to execute malicious code on a user's computer.
Responsible for discovering this bug is Dmitri Kaslov of Telspace Systems, who passed it along to Trend Micro's Zero-Day Initiative (ZDI), a project that intermediates the vulnerability disclosure process between independent researchers and larger companies.
ZDI experts reported the issue to Microsoft back in January, but Microsoft has yet to release a patch for this vulnerability. Yesterday, ZDI published a summary containing light technical details about the bug.
According to this summary, the vulnerability allows remote attackers to execute malicious code on users' PCs.
"The specific flaw exists within the handling of Error objects in JScript," ZDI experts explained. "By performing actions in [Jscript], an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process."
"Due to the sensitivity of the bug, we don’t want to provide too many technical details until a full fix from Microsoft is available," Brian Gorenc, director of Trend Micro's Zero Day Initiative, told Bleeping Computer in an email today.
Gorenc told us the vulnerability is not as dangerous as it sounds, as it does not allow a full system compromise.
"The flaw only allows code execution within a sandboxed environment," Gorenc said. "An attacker would need additional exploits to escape the sandbox and execute their code on the target system."
The vulnerability has received a 6.8 rating out of 10 on the CVSSv2 severity scale, which is a pretty high score, when compared to most vulnerabilities.
According to Gorenc, a patch is coming. "To the best of our knowledge, Microsoft does still intend to release a fix for this bug. However, they did not complete the fix within the timelines set out in our disclosure policy."
ZDI usually gives companies 120 days to patch reported flaws before they go public with their advisories. According to a timeline of Microsoft's replies, the OS maker had a hard time reproducing the proof-of-concept code needed to trigger the vulnerability, losing around 75% of the 120 disclosure timeline, leaving its engineers little time to put together and test a patch in time for May's Patch Tuesday.
While Microsoft did not provide an exact timeline of when it plans to roll out a patch, a spokesperson confirmed they are working on a fix.
Gorenc added that ZDI was not aware of real-world attempts to exploit this flaw at the time of the disclosure. With little technical details available online, it's most likely to remain so until Microsoft releases fixes.
For now, ZDI experts advise users against allowing applications that rely on the JScript component —such as Internet Explorer, wscript.exe, and others— to process untrusted JS code or files.