A zero-day vulnerability in the JScript has been disclosed to Microsoft. CVE-2018-8267 has been assigned to track this vulnerability. Microsoft has accepted the disclosure, the advisory addressing the issue has been released. It is a use-after-free vulnerability in Windows JScript, the vulnerability is due to improper handling of error objects by JScript. Upon successful exploitation an attacker can gain remote code execution on the target machine. The issue affects Internet Explorer 11,10,9 and does not affect MS Edge.
An attacker needs the target to visit a crafted web page hosting the exploit to trigger the vulnerability. The attacker can also embed an ActiveX control within a MS Office document and target application that have IE rendering engine, this approach is similar to exploiting CVE-2018-8174. Currently the vulnerability is not exploited in the wild. Microsoft has rated this vulnerability as critical.
Mitigation
We request organizations to apply the latest patches from Microsoft as soon as they are released. Qualys customers can scan their network with QID: 100337 to detect vulnerable machines.
Please continue to follow Qualys Threat Protection for more information on this vulnerability.
Reference
(0Day) Microsoft Windows JScript Error Object Use-After-Free Remote Code Execution Vulnerability
CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability