The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.
The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.
Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).
In addition ot the PoC 'Calculator' exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.
In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.
Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.
The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.
Impact:
Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).
In addition ot the PoC 'Calculator' exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.
In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.
Mitigation:
Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.