Out-of-Bounds Vulnerability In Microsoft VBScript Can Cause Internet Explorer To Crash

Microsoft VBScript is actually an active scripting language modeled on Visual Basic. It’s very similar to visual basic and can be used to create a server-side scripting environment for creating dynamic web pages which use VBScript or JavaScript.

rtFilter Out-Of-Bounds Vulnerability

There seems to be an out-of-bounds vulnerability in Microsoft’s VBScript with the rtFilter function. The function provides a library written in C implementing real-time digital filtering for multichannel signals.

An Out-Of-Bound Vulnerability can help an attacker send malicious input to the host system. This causes an out-of-bound read condition, helping the attacker run arbitrary code.

The initial analysis on Packetstorm states “The rtFilter function is called from VbsFilter when a Filter() function is invoked. The Filter() function takes an array of strings and a string as params and returns another array containing just those elements from the original array containing the specified (sub)string.” Further adding  “The issue is that the input array can be resized during the rtFilter call (by invoking a default getter on one of the input array members) and rtFilter fails to handle this case correctly. While rtFilter does implement some logic to determine if the input array has been resized, this logic fails to take into account elements of the input array that *do not match* the input string (Notice the “b” strings in the PoC and how the PoC would stop to work if those are all changed to “a”).

This basically means some problem with input array resizing during rtFilter call.

Who Is At Risk?

Internet Explorer users are mostly affected. There aren’t any browsers that use VBScript, therefore, IE is the only one at risk.  The vulnerability hasn’t been patched and is still present on Windows 7, even on the latest patch.

VBScript is aging although Microsoft has decided to provide future support of VBScript within ASP.NET. Even Windows Edge and IE11 have dropped it as a scripting language. This vulnerability can only cause Internet Explorer to crash, more serious attacks haven’t been mentioned on by the researchers.

Indranil Chowdhury
Indranil is a Med school student and an avid gamer. He puts his absolute faith in Lord Gaben and loves to write. Crazy about the Witcher lore, he plays soccer too. When not playing games or writing, you can find him on 9gag spreading the Pcmasterrace propaganda.

Expert Tip

Out-of-Bounds Vulnerability In Microsoft VBScript Can Cause Internet Explorer To Crash

If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Restoro by clicking the Download button below.

Download Now

I'm not interested