A security researcher has found a way to start applications on Windows from the Microsoft Edge browser with a fairly simple script. The researcher has made a proof-of-concept available, which means exploits are usually not far away. Microsoft patched the issue in an update that was part of this week's Patch Tuesday.
Users who haven't installed the latest Windows updates should do so as soon as possible, or at least temporarily avoid using Edge until they are able to install the updates.
Security researcher @qab found that it's possible to start other applications by clicking a specially prepared link in the Edge browser. This is possible because the Windows Scripting Host can be called from a URI in Edge. The Windows Scripting Host can be used to execute .VBS files. One .VBS file that comes with Windows by default accepts unfiltered command line arguments. By calling this .VBS file with some commands it's possible to execute arbitrary commands on the computer. In the demonstration video, the Windows Calculator is opened.
The entire proof of concept of the issue is no more than a couple of lines:
<a id="q" href="wshfile:test/../../WinSxS/AMD921~1.48_/SyncAppvPublishingServer.vbs" test test;calc;"">test</a> <script> window.onkeydown=e=>{ window.onkeydown=z={}; q.click() } </script>
The vulnerability is identified as CVE-2018-8495 and Microsoft has given it a severity rating of moderate. That is likely because normally when a user clicks a link that opens a Windows Scripting Host file, a popup appears from which the user has to select the application that should be used to run a script. Therefore, an attacker will need to lure a victim to a specially prepared website and ask the user to hold down the enter key.
This is a rather strange request and the weak spot of this attack. If the user does hold the enter key, the popup will only show for as a flash and the rest of the attack will be silently performed in the background.
