Rewterz Threat Advisory – CVE-2018-8373 Scripting Engine Memory Corruption Vulnerability

The scripting engine in the Internet Explorer is vulnerable to remote code execution attacks due to memory corruption.

IMPACT:  CRITICAL

PUBLISH DATE: 14-08-2018

OVERVIEW

The scripting engine when handling objects in memory in the Internet Explorer is vulnerable to a Remote Code Execution attack. The attacks involve specially crafted web pages promoted through social engineering. Patched versions have been released by the vendor.

BACKGROUND INFORMATION

In the Internet Explorer, the handling of objects by the scripting engine in memory is vulnerable to a remote code execution attack. In case of a successful attack, an attacker could execute arbitrary code in the context of the current user, acquiring all  the user privileges associated with the user. In case the current user has administrative privileges, the whole system could be taken over by the attacker.

In a web-based attack scenario that may involve social engineering, the attack is possible via a specially designed website  meant to exploit the vulnerability in the internet explorer. An attacker can also take advantage of compromised websites or websites that deal with advertisements and user-provided content. These websites can be specially designed with the motive of exploiting this vulnerability.

ANALYSIS

Microsoft Internet Explorer version 11 and earlier are vulnerable to a use-after-free vulnerability that can be exploited in remote code execution attacks. This may hand over elevated user privileges of the system to an attacker, who is then able to install programs; view, modify, or delete data; or create new accounts with full user rights. Proof-of-concept (PoC) code is publicly available and Microsoft has seen exploitation in the wild.

An attacker would need to use a specially crafted web page to exploit this vulnerability. The target audience is convinced to visit the page via social engineering techniques, after which some file on the page drops payloads on the system to execute a remote code.

It is also possible for an attacker to embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The system may crash during the exploitation attempt.

When this vulnerability is triggered, it causes a ‘use after free’ condition in vbscript!AssignVar. This highly critical vulnerability has been addressed in the August updates by Microsoft.

AFFECTED PRODUCTS

Microsoft reports that the following products and versions are vulnerable.

• Internet Explorer 9, 10 and 11
• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows 8.1 for 32-bit Systems
• Windows 8.1 for x64-based Systems
• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1703 for 32-bit Systems
• Windows 10 Version 1703 for x64-based Systems
• Windows 10 Version 1709 for 32-bit Systems
• Windows 10 Version 1709 for x64-based Systems
• Windows 10 Version 1803 for 32-bit Systems
• Windows 10 Version 1803 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows RT 8.1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016

UPDATES

The vendor has released updates for the affected products. Please follow this link for downloading the relevant updates.

https://portal.msrc.microsoft.com/en–US/security–guidance/advisory/CVE–2018–8373

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.