Security Vulnerability
The VBScript Engine is a remote code execution vulnerability and if executed in a victim computer would operate undetected in its memory (RAM). An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.[1]
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked, "safe for initialization" in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The current CVE security update addresses this vulnerability by modifying how the scripting engine handles objects in memory.
Exploitability Assessment
The following table provides an exploitability assessment[2] for this vulnerability at the time of original publication.
Affected Products
The below software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.[1]
[1] https://support.microsoft.com/en-us/lifecycle
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8174
[2] https://technet.microsoft.com/en-us/security/cc998259.aspx
Comments