Security researcher releases PoC code used to run malicious code
Microsoft had rolled out a fix
KUWAIT CITY, Oct 13: A security researcher has published proof-of-concept code which an attacker can use to run malicious code on a remote computer via the Microsoft Edge browser, reports Al-Rai daily quoting zdnet.com
The proof-of-concept (PoC) code is for a Microsoft Edge vulnerability – CVE-2018-8495 – that Microsoft patched this week, part of its October 2018 Patch Tuesday.
The vulnerability was discovered by Kuwaiti security researcher Abdulrahman Al-Qabandi, who reported his findings to Microsoft via Trend Micro’s Zero-Day Initiative program.
Today, after making sure Microsoft had rolled out a fix, Al-Qabandi published in-depth details about the Edge vulnerability on his blog.
Besides the usual technical breakdown that accompanies all such vulnerability write-ups, the researcher’s also included proof-of-concept code so other researchers could reproduce the bug’s effect.
Such PoCs are usually quite complex, but Al-Qabandi’s code is only HTML and JavaScript, meaning it could be be hosted on any website.
According to the researcher, all the attacker needs to do is trick a user into accessing a malicious website hosting the PoC via an Edge browser, and then press the Enter key. Once the user lets go of the Enter key, the PoC runs and executes a Visual Basic script via the Windows Script Host (WSH) default application.
In its current form, the PoC will only start the Windows Calculator app, but any skilled malware author can modify this code with ease to trigger more dangerous operations, such as silently downloading and installing malware.
Since the vulnerability requires social engineering, it is likely not that useful for automated malware campaigns, such as the ones executed via exploit kits and malvertising (the use of online advertising to spread malware) campaigns.