> @taviso: I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. - via
MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. It runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services.
On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on.
We have discovered that the function JsDelegateObject_Error::toString() reads the "message" property from the this object, but fails to validate the type of the property before passing it to JsRuntimeState::triggerShortStrEvent().
NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252
https://technet.microsoft.com/en-us/library/security/4022344
- 1040 megtekintés
Hozzászólások
Figyelmetlen voltam, mar volt intro cikk: https://hup.hu/cikkek/20170508/tavis_ormandy_a_kozelmult_legrosszabb_ta…
Torolheto
- A hozzászóláshoz be kell jelentkezni