Recently, Kaslov, a security researcher discovered 0day vulnerability in Windows, which was caused by the JScript component in the system, allowing remote attackers to execute malicious code on the user’s PC.
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”
“The specific flaw exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”
Because this vulnerability affects JScript components (Microsoft Custom JavaScript implementation), the only condition is that an attacker must trick the user into accessing a malicious web page, or download and open a malicious JS file on the system (usually through Windows execution script host – wscript.exe).
Compared to most vulnerabilities, the vulnerability scored 6.8 points in the CVSSv2 severity rating, which is a very high score.
