by Mitja Kolsek, the 0patch Team
June 2021 Windows Updates brought a fix for another "Exploitation More Likely" memory corruption vulnerability in Scripting Engine (CVE-2021-26419) discovered by Ivan Fratric of Google Project Zero, very similar to this vulnerability discovered also discovered by Ivan and patched in May.
Ivan published details and a proof-of-concept three days ago and we took these to reproduce the vulnerability in our lab and create a micropatch for it.
Since Microsoft's patch was available, we reviewed it and found their patch for it in function ByteCodeGenerator::EmitScopeObjectInit, which Ivan also identified as the source of the flaw. An initialization loop was added to this function to initialize all members of the PropertyID array.
Our micropatch is logically identical to Microsoft's:
See the micropatch in action:
- Windows 7 and Windows Server 2008 R2 without Extended Security Updates,
- Windows 7 and Windows Server 2008 R2 with year 1 of Extended Security Updates.
- Windows 10 v1803
- Windows 10 v1809