Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine

Oct. 18, 2024, 9:20 a.m.

Tags
windows
vulnerability
zero-day
rokrat
remote code execution
CVE-2024-38178
2024-10-17
apt37
CVE-2022-41128
type confusion
jscript9.dll
External References
Description

CVE-2024-38178 is a type confusion vulnerability in JScript9.dll, patched by Microsoft in August 2024. It allows bypassing the CVE-2022-41128 patch through incorrect JIT engine optimizations. APT37, a North Korean threat group, exploited this vulnerability in June 2024 against South Korean targets. The exploit enables remote code execution on Windows systems. Affected software includes Microsoft Edge (IE mode) and media players using legacy WebView. The vulnerability stems from improper type validation in the JIT compiler, leading to arbitrary code execution. Mitigation involves updating Windows and disabling IE mode in Edge.

Date

Published: Oct. 17, 2024, 10:39 a.m.

Created: Oct. 17, 2024, 10:39 a.m.

Modified: Oct. 18, 2024, 9:20 a.m.

Attack Patterns

ROKRAT - S0240

APT37

T1012

T1059.007

T1497

T1071.001

T1573

T1203

T1082

T1057

T1105

T1083

T1055

T1140

T1132

T1027

T1112

T1190

Additional Informations

Software