Specialists in a cyber security course have revealed the finding of critical vulnerabilities in VBScript, the language interpreted by Microsoft’s Windows Scripting Host. Exploiting these flaws could allow threat actors to trigger scenarios such as buffer overflow to deploy subsequent attacks.
Below are brief descriptions of reported vulnerabilities, in addition to their respective Common Vulnerability Scoring System (CVSS) keys and scores.
CVE-2020-1035: This is a buffer overflow flaw that exists due to an error in the VBScript engine. A remote threat actor could create a specially designed web page to trick the target user, trigger data in memory, and execute arbitrary code on the vulnerable system, which may be fully compromised in the event of successful exploitation of this vulnerability.
The vulnerability received a score of 6.5/10 on the CVSS scale, so it is considered a moderate severity error. The flaw is present in Microsoft Internet Explorer versions 9 and 11.
CVE-2020-1058: This vulnerability allows remote threat actors to execute arbitrary code on the target system. The vulnerability exists due to a limit error within the VBScript engine. A hacker could create a specially designed website, trick the victim into opening it, trigger memory corruption and execute arbitrary code.
According to cyber security course experts, this flaw also received a score of 6.5/10 on the CVSS scale and is found in Internet Explorer versions 9 and 11.
CVE-2020-1060: This is a buffer overflow flaw and allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to a limit error within the VBScript engine and its successful operation would allow a full compromise of the affected system.
To exploit this flaw, the attacker would only have to trick the victim into visiting a specially designed website. As in previous cases, the flaw received a score of 6.5/10, so it is considered moderate severity, and is present in Microsoft Internet Explorer versions 9 and 11.
CVE-2020-1093: This is also a buffer overflow vulnerability and allows a remote malicious hacker to execute arbitrary code on the compromised system. The vulnerability exists due to a limit error within the VBScript engine and its exploitation allows the creation of web pages specially designed to trick users and execute arbitrary code on the target system.
The flaw received a CVSS score of 6/10, so it is considered an average severity error, and is present in Internet Explorer versions 9 and 11, cyber security course experts mention.
While reported flaws can be exploited remotely, it is worth mentioning that so far the existence of a script for exploitation has not been detected. The International Institute of Cyber Security (IICS) recommends installing the official patches as soon as possible.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.