CVE-2018-8391

Vulnerability

A remote code execution vulnerability exists in the way the ChakraCore scripting engine handles objects in memory, classified as a memory corruption issue [1]. This affects all versions of ChakraCore prior to the security update released in September 2018 [3]. The vulnerability is triggered when the engine improperly processes specially crafted JavaScript code, leading to memory corruption.

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website that contains malicious JavaScript, then convincing a user to visit that site (e.g., via email or social engineering). No authentication is required, and the attacker does not need any special network position beyond serving the malicious content. The user interaction is limited to browsing to the malicious page, which triggers the memory corruption in the ChakraCore engine.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. If the user has administrative privileges, the attacker could gain full control of the affected system, including the ability to install programs, view/change/delete data, or create new accounts with full user rights. The impact is complete compromise of confidentiality, integrity, and availability.

Mitigation

Microsoft released a security update for ChakraCore as part of the September 2018 Patch Tuesday, which addresses this vulnerability [1]. Users should update to the latest version of ChakraCore (version 1.11 or later) to receive the fix [2]. No workarounds are available. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date.