August 2024 Windows Updates brought a patch for CVE-2024-38178, a remotely exploitable memory corruption issue in "legacy" Scripting Engine (JScript9.dll). This engine, while part of long-expired Internet Explorer, is still present on all Windows computers and can be invoked via various mechanisms, for instance from an Office document.
Subsequently, security researchers Hosu Choi and Minyeop Choi of S2W Talon published a detailed article, which included a short proof-of-concept script, allowing us to reproduce the issue and issue our own patches for it.
The Vulnerability
This is yet another vulnerability in JScript9.dll's Just-in-Time (JIT) compiler. We've patched these kinds of issues in JScript9 JIT before (CVE-2021-34480, CVE-2022-41128), and this issue is actually just a bypass for the latter's patch.
In a similar way as with CVE-2022-41128, exploitation is done by malicious JavaScript code rendered by JScript9.dll, which first forces Scripting Engine to switch to JIT by executing a very long loop, thereby triggering JIT optimization. The JIT'ed malicious function is written so that JIT compiler generates flawed code, which is then used for corrupting memory and finally executing attacker's code on user's computer.
We encourage you to read the SW2 Talon article for details.
Microsoft's Patch
Microsoft patched this issue with a substantial amount of additional code, and an extension of some data structures.
Our Micropatch
We usually create our patches to be logically identical, or at least similar to Microsoft's. However, in this case we decided to take a different approach: namely, while JIT-compiled code can be significantly faster than interpreted JavaScript bytecode, this effect is strongest on special cases that are typically not encountered in real-world use.
On the other hand, about 50% of all vulnerabilities in browsers are related to JIT, which led Microsoft to introduce a "Super Duper Secure Mode" to their Edge browser already back in 2021. This mode disables JIT, and as claimed in their article, "... we find that users with JIT disabled rarely notice a difference in their daily browsing."
So we decided to fix some past JIT-related vulnerabilities that we had no test cases for, and all future JIT-related vulnerabilities in Jscript9.dll - by simply disabling JIT. In contrast to Edge, Internet Explorer never had a switch to disable JIT, so we couldn't piggyback on that and had to find our own way. Our approach was to patch function NewFunctionCodeGen, which is called whenever some JavaScript code should be JIT compiled, such that it always returns an error - so the execution continues with JavaScript bytecode instead.
Our
patch has a single CPU instruction, setting the return value of function NewFunctionCodeGen to 0. The calling function, checking for this error, does the rest of the work.
;XX-2521
MODULE_PATH "..\AffectedModules\jscript9.dll_11.00.22000.1641_Win11-21H2_64-bit_u2023-10\jscript9.dll"
PATCH_ID 2075
PATCH_FORMAT_VER 2
VULN_ID 7838
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x104183
N_ORIGINALBYTES 5
JUMPOVERBYTES 5
code_start
mov rax, 0
code_end
patchlet_end
Micropatch Availability
Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:
- Windows 11 v21H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
- Windows Server 2012 R2 - fully updated with no ESU
- Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you're using Windows that aren't
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
We would like to thank Hosu Choi and Minyeop Choi of S2W Talon for sharing their analysis and proof-of-concept, which made it possible for us to create a
micropatch for this issue.
No comments:
Post a Comment