Software giant Microsoft is still to patch a vulnerability discovered in its Windows operating system by a South African-based security expert.
Dmitri Kaslov, a security researcher at Telspace Systems, discovered a vulnerability in the JScript component of the Windows operating system that can be exploited by an attacker to execute malicious code on a target computer.
The vulnerability was discovered late last year and "responsibly disclosed to ZDI [Zero Day Initiative] who then reported it to Microsoft on 23 January 2018", Manuel Corregedor, chief operations officer at Telspace Systems, told ITWeb.
Calling themselves "hackers for hire", Telspace Systems is a South African-based information security company with offices in Johannesburg and the UK.
"We, unfortunately, cannot release the full technical details as the vulnerability has not been patched," says Corregedor.
"However, in terms of how an attacker could target a victim, one way would be for the attacker to create a malicious Web page and trick the user into visiting the Web page. This could be done by means of targeting users via a phishing e-mail and/or by infecting legitimate Web sites with malicious scripts."
Corregedor explains that the vulnerability was reported by Kaslov to the ZDI, which represents a vendor-agnostic bug bounty programme. ZDI allows researchers to report zero-day vulnerabilities privately through the initiative to the affected vendors.
Microsoft says this vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file, it notes.
According to the software giant, the specific flaw exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process, it explains.
"This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120-day deadline," says Microsoft.
Microsoft's full response can be viewed here.
Corregedor is of the view that as no patch currently exists, users will have to, as always, continue to be vigilant and on the lookout for phishing or suspicious e-mails. If users receive such e-mails, they should not click on the links or open the attachments, he points out.
"We would like to encourage other researchers to participate in bug bounty programmes such as those offered by ZDI that ensure responsible disclosure while providing incentives for the researchers," says Corregedor.
"Companies that play in the information security space should establish their own disclosure policy and encourage their analysts and teams to participate in giving back to the community through their research."
He notes there are different models that could be used to encourage the analysts and teams to participate.
"One such model would be for the company and researcher to get acknowledged while the researcher gets the bounty. The prior is the model we utilise at Telspace Systems and have found it works well."
Share