Security researchers have found a Windows vulnerability that enables the attackers to execute arbitrary code – and Microsoft hasn’t issued a fix yet.
The vulnerability, which was first found by Dmitri Kaslov of Telspace Systems, exists inside the handling of error objects in JavaScript, according to Trend Micro’s Zero Day initiative group.
This exploit allows remote execution of arbitrary code on specific versions of Windows. Nonetheless, it’s important to state that the user interaction is required: The target must be deceived into opening a malicious page or document, which at that point executes the malignant JScript on the system.
Brian Gorenc, director of ZDI publicly stated that there is no indication that vulnerability is being exploited by hackers:
“The flaw allows code execution within a sandboxed environment,” he explained. “An attacker would need additional exploits to escape the sandbox and execute their code on the target system. In all likelihood, this would be one step of an exploit chain. At Pwn2Own, we typically see several bugs combined together to make a complete exploit. Something similar would need to happen with this bug.”
Microsoft has not yet responded.