HomeWinBuzzer NewsMicrosoft Edge Zero-Day Vulnerability Fixed on Patch Tuesday Receives Proof-of-Concept

Microsoft Edge Zero-Day Vulnerability Fixed on Patch Tuesday Receives Proof-of-Concept

A security researcher who discovered a Microsoft Edge flaw has published a proof-of-concept for the vulnerability.

-

Earlier this week, rolled out Cumulative Updates for the October . Among the issues the company fixed was a vulnerability in browser. Today, a security researcher has published a proof-of-concept (PoC) of the flaw.

The Microsoft Edge vulnerability carries the code CVE-2018-8495. Through Edge, a bad actor could run malicious code from a remote location and take over a system. Al-Qabandi took to his blog to publish the PoC.

After discovering the problem, the Kuwait security expert reported it through Trend Micro's Zero-Day Initiative. With the proof-of-concept, researchers can now replicate the problem and study it. Indeed, the code is unusually simple in HTML and JavaScript.

Al-Qabandi explains an attacker could implement the code by tricking users into using a malicious website on Microsoft Edge. Just pressing enter on the website would run the malicious code (or in this case, the PoC).

When running, the code executes a Visual Basic script in Windows Script Host (WSH). The researcher says the PoC only runs in Windows Calculator. However, a skilled coder would be able to implement the code in other applications and system files.

This is a classic attack that would rely on the naivety of the user. So-called social engineering attacks attempt to trick users into essentially downloading the malware themselves. As such, Al-Qabandi says this vulnerability would more likely be used for specific high-value target.

It is worth noting that through the October 2018 Patch Tuesday updates, the problem should be gone. Microsoft says it has not observed any instances of the exploit in the wild.

Patch Tuesday

Also on Patch Tuesday, Microsoft issued a fix for a zero-day vulnerability that was reported by Kaspersky in August. Microsoft explained the Win32k Elevation of Privilege Vulnerability (CVE-2018-8453) and the update to patch it:

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

SourceLeucosite
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News