“ Browser Fuzzing,” a presentation from the 2014 Hack in the Box conference, shows how to force jscript.dll to load. The following tags in your script will make IE load jscript.dll alongside jscript9.dll to support the IE8 compatibility mode. Jscript.dll isn’t loaded by default on recent IE versions but can be loaded into all IE versions from IE9 up to IE 11 by using the IE8 compatibility mode. However, both jscript9.dll and jscript.dll (older JavaScript engines) are present on Windows systems.
All versions of IE since IE9 up to IE 11 use jscript9.dll by default. The back storyĬVE-2020-1062 is present in the jscript.dll module, the legacy JavaScript engine bundled in for compatibility. By exploiting CVE-2020-1062, an attacker can potentially execute arbitrary code within the sandboxed browser process-though typically, attackers would need to combine this vulnerability with an additional sandbox escape vulnerability in a full attack chain.Īfter an anonymous contributor who wished to be credited as “Edward Thompson” reported the vulnerability via the iDefense Vulnerability Contributor Program, we passed the information to Microsoft, who fixed the issue in May, 2020. Let’s dive into an exploitation exercise for CVE-2020-1062, a recent Internet Explorer (IE) use-after-free (UAF) vulnerability.