The Microsoft Edge vulnerability carries the code CVE-2018-8495. Through Edge, a bad actor could run malicious code from a remote location and take over a system. Al-Qabandi took to his blog to publish the PoC. After discovering the problem, the Kuwait security expert reported it through Trend Micro’s Zero-Day Initiative. With the proof-of-concept, researchers can now replicate the problem and study it. Indeed, the code is unusually simple in HTML and JavaScript. Al-Qabandi explains an attacker could implement the code by tricking users into using a malicious website on Microsoft Edge. Just pressing enter on the website would run the malicious code (or in this case, the PoC).
CVE write-up is here: https://t.co/WizmAE8Ixx pic.twitter.com/zknTkvXytt — Catalin Cimpanu (@campuscodi) October 12, 2018 When running, the code executes a Visual Basic script in Windows Script Host (WSH). The researcher says the PoC only runs in Windows Calculator. However, a skilled coder would be able to implement the code in other applications and system files. This is a classic attack that would rely on the naivety of the user. So-called social engineering attacks attempt to trick users into essentially downloading the malware themselves. As such, Al-Qabandi says this vulnerability would more likely be used for specific high-value target. It is worth noting that through the Windows 10 October 2018 Patch Tuesday updates, the problem should be gone. Microsoft says it has not observed any instances of the exploit in the wild.
Patch Tuesday
Also on Patch Tuesday, Microsoft issued a fix for a zero-day vulnerability that was reported by Kaspersky in August. Microsoft explained the Win32k Elevation of Privilege Vulnerability (CVE-2018-8453) and the update to patch it: “An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”