Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine
Contents
Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine
Author: Hosu Choi, Minyeop Choi | S2W Talon
Last modified: Oct 16, 2024
Executive Summary
(Vulnerability Overview) On August 13, 2024, Microsoft patched CVE-2024-38178, a vulnerability within JScript9.dll, as part of the August Patch Tuesday.
(Vulnerability Cause) CVE-2024-38178 is a type confusion vulnerability caused by the JIT engine in JScript9.dll performing incorrect optimizations on variables initialized with the usual arithmetic conversion exception operator, which can be used to bypass the CVE-2022-41128 patch released in November 2022.
- CVE-2022-41128 is publicly available with detailed analysis and was exploited by a threat group behind North Korea in 2022, so it is likely that attackers quickly weaponized the vulnerability.
- An attacker exploiting this vulnerability can remotely execute code on a targeted Windows system.
(Related threat groups and attacks) In June 2024, APT37 (Scarcruft), a North Korea-based threat group, exploited this vulnerability in an in-the-wild attack against specific organizations in South Korea.
- …
Author: Hosu Choi, Minyeop Choi | S2W Talon
Last modified: Oct 16, 2024
Executive Summary
(Vulnerability Overview) On August 13, 2024, Microsoft patched CVE-2024-38178, a vulnerability within JScript9.dll, as part of the August Patch Tuesday.
(Vulnerability Cause) CVE-2024-38178 is a type confusion vulnerability caused by the JIT engine in JScript9.dll performing incorrect optimizations on variables initialized with the usual arithmetic conversion exception operator, which can be used to bypass the CVE-2022-41128 patch released in November 2022.
- CVE-2022-41128 is publicly available with detailed analysis and was exploited by a threat group behind North Korea in 2022, so it is likely that attackers quickly weaponized the vulnerability.
- An attacker exploiting this vulnerability can remotely execute code on a targeted Windows system.
(Related threat groups and attacks) In June 2024, APT37 (Scarcruft), a North Korea-based threat group, exploited this vulnerability in an in-the-wild attack against specific organizations in South Korea.
- …
IoC
09994a03b0a04853894f5d70b3afe85e
e11bb2478930d0b5f6c473464f2a2b6e
f6906de00a124b9fadee90722bf854c2
e11bb2478930d0b5f6c473464f2a2b6e
f6906de00a124b9fadee90722bf854c2