Critical vulnerability in Windows publicly disclosed after Microsoft misses deadline

Posted 04 June 2018 23:46 CEST by Jan Willem Aldershoff

The Zero Day Initiative (ZDI), a security organization that provides security researchers a financial incentive to report 0-day vulnerabilities privately to vendors, has disclosed a vulnerability in Windows for which no patch is available yet. When the vulnerability is properly exploited, an attacker can execute arbitrary code remotely on the target system.

Simply visiting a malicious or hacked website, or opening a specially crafted file, is sufficient to become a victim of such an attack. The vulnerability exists in the error handling of Jscript, a dialect of Javascript, developed by Microsoft.

ZDI informed Microsoft about the vulnerability on the 23rd of January this year. Exactly three months later, Microsoft reported it had issues reproducing the vulnerability without a proof-of-concept exploit. However, the ZDI informed Microsoft the next day, the 24th of April, it already sent such an exploit with the initial report, and they sent the exploit to Microsoft again. A week later, on the 1st of May, Microsoft confirmed it received the proof-of-concept exploit.

The ZDI has the policy of providing companies a 120-day deadline to patch a vulnerability. If that deadline expires, the details are publicly disclosed. Microsoft was aware of that and requested an extension of the deadline. The ZDI refused to extend the deadline and has now disclosed limited details of the vulnerability on its website.

For users who want to protect themselves against an attack that abuses the vulnerability, the ZDI has advice. The organization writes on its website, “given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files.”

Microsoft’s next Patch Tuesday will be the 12th of June. It’s unsure whether the company has a patch ready for this issue by then. It’s also possible that Microsoft releases an emergency update, based on the severity of the issue.

Related content

Comment on this news item