Security restrictions bypass in Microsoft JScript

Published: 2018-11-13
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-8417
CWE ID CWE-264
Exploitation vector Local
Public exploit N/A
Vulnerable software Windows Subscribe
Windows Server
Vendor Microsoft

Security Advisory

This security advisory describes one low risk vulnerability.

1) Security restrictions bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-8417

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a physical attacker to bypass security restrictions on the target system.

The weakness exists due to an error when Microsoft JScript manages COM object creation. A physical attacker can run a specially crafted application to bypass security restrictions and create arbitrary COM objects.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 10, 10 1607, 10 1703, 10 1709, 10 1803, 10 1809

Windows Server: 1709, 1803, 2016, 2019

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8417

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.