Memory Corruption Vulnerability in Microsoft Scripting Engine

  • CERT Admin
  • Fri Jun 19 2020
  • Alerts

Systems Affected

ChakraCore

Microsoft Edge (EdgeHTML-based) for

  •      https://portal.msrc.microsoft.com/en-us/security-guidance
  •   Windows 10 version 1607 for 32-bit Systems and x64-based Systems
  •   Windows 10 version 1709 for 32-bit Systems, ARM64-based Systems and x64-based Systems
  •   Windows 10 version 1803 for 32-bit Systems, ARM64-based Systems and x64-based Systems
  •   Windows 10 version 1809 for 32-bit Systems, ARM64-based Systems and x64-based Systems
  •   Windows 10 version 1903 for 32-bit Systems, ARM64-based Systems and x64-based Systems
  •   Windows 10 version 1909 for 32-bit Systems, ARM64-based Systems and x64-based Systems
  •   Windows Server 2016
  •   Windows Server 2019

Overview

Vulnerability resides in the Microsoft script engine where an attacker could perform remote code execution with the user privilege of the current user


Description

Vulnerability exists in the Chakra scripting engine due to the ineffective way of handling objects in the memory. Remote attacker could exploit this vulnerability to execute arbitrary code pretending to be the current user. Which means an attacker could gain the same user privilege as the currently logged-in user. If the user has logged-in with administrator privileges an attacker could do more damage to the system.


Impact

  • Possibility of exposing confidential information to unauthorized parties
  • System could be infected with malware


Solution/ Workarounds

Apply appropriate patches as mentioned in the Microsoft Security Guidance

  https://portal.msrc.microsoft.com/en-us/security-guidance


References

  • https://www.cert-in.org.in
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1073


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.



Last updated: Fri Jun 19 2020