A security researcher has published today proof-of-concept code which an attacker can use to run malicious code on a remote computer via the Microsoft Edge browser.
The vulnerability was discovered by Kuwaiti security researcher Abdulrahman Al-Qabandi, who reported his findings to Microsoft via Trend Micro's Zero-Day Initiative program.
Today, after making sure Microsoft had rolled out a fix, Al-Qabandi published in-depth details about the Edge vulnerability on his blog.
Besides the usual technical breakdown that accompanies all such vulnerability write-ups, the researcher's also included proof-of-concept code so other researchers could reproduce the bug's effect.
According to the researcher, all the attacker needs to do is trick a user into accessing a malicious website hosting the PoC via an Edge browser, and then press the Enter key. Once the user lets go of the Enter key, the PoC runs and executes a Visual Basic script via the Windows Script Host (WSH) default application.
In its current form, the PoC will only start the Windows Calculator app, but any skilled malware author can modify this code with ease to trigger more dangerous operations, such as silently downloading and installing malware.
A video showing how easy is to trick a user into accidentally auto-hacking himself is embedded below.
Since the vulnerability requires social engineering, it is likely not that useful for automated malware campaigns, such as the ones executed via exploit kits and malvertising campaigns. Instead, the vulnerability may prove very useful for targeted attacks against selected, high-value targets.
Running Windows 10 with the October 2018 security patches will prevent attackers from using this vulnerability against Windows users.
Microsoft said it did not detect exploitation attempts for this vulnerability before it deployed a patch this Tuesday.
- WhatsApp fixes bug that let hackers take over app when answering a video call
- WhatsApp releases business API: Here's how you can use it TechRepublic
- Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs
- Adobe security update fixes a handful of critical bugs, ignores Flash Player
- MikroTik vulnerability climbs up the severity scale, new attack permits root access
- These popular Android phones came with vulnerabilities pre-installed CNET