|CERT-In Vulnerability Note
Multiple Vulnerabilities in Microsoft Scripting Engine
Original Issue Date:December 09, 2015
Severity Rating: HIGH
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation only)
- JScript 5.7
- JScript 5.8
- VBScript 5.7
- VBScript 5.8
Multiple vulnerabilities have been reported in Microsoft Windows which could be exploited by a remote attacker to execute arbitrary code, gain elevated privileges or disclose sensitive information in context of the current logged in user.
1. Scripting Engine Information Disclosure Vulnerability
An information Disclosure Vulnerability exists in the VBScript engines due to improper handling of the objects in memory. A remote attacker could exploit this vulnerability by enticing a target user to visit a specially crafted website. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information could use the information to launch further attacks.
2. Scripting Engine Memory Corruption Vulnerability
A vulnerability exists in the VBScript engine due to improper handling of the objects in memory by Internet Explorer when handling crafted content. A remote attacker could exploit this vulnerability by creating a specially crafted website and enticing the targeted user to visit this website or by embedding a "safe for initialization" ActiveX control in an application or Microsoft Office document hosting the IE rendering engine.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code with the privileges of the targeted user. If the targeted user is logged in with admin privileges, the attacker could gain complete control of the targeted system.
- Restrict access to VBScript.dll
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003