14 DAY TRIAL // The Microsoft Edge remote code execution bug patched by Microsoft received a proof-of-concept from the security researcher who reported it via a Trend Micro's Zero-Day Initiative advisory.
Abdulrahman Al-Qabandi initially reported the CVE-2018-8495 vulnerability in the Microsoft Edge browser to Microsoft on July 3, which patched it in its October 2018 Patch Tuesday.
According to the researcher, "User interaction is required to exploit this vulnerability in that the target must visit a malicious web page and perform a UI action."
Subsequently, after Microsoft's CVE-2018-8495 patch was released, the researcher developed and published a proof-of-concept (PoC) which shows how attackers could use the security bug to run malicious code on vulnerable unpatched computers.
The CVE-2018-8495 PoC can be hosted on web servers controlled by potential attackers
Because Al-Qabandi's PoC is coded using JavaScript and wrapped in an HTML file, attackers could host it on web servers they control and potentially run malicious tools on the victim's computer after exploiting the remote code execution vulnerability.
Furthermore, "If the current user is logged on with administrative user rights, an attacker could take control of an affected system," as Microsoft explains. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
At the moment, Al-Qabandi's PoC will only launch the Calculator application; it's just a matter of tweaking it to get other applications to start or run other commands designed to compromise the attacked system.
It is important to mention that although the researcher's proof-of-concept works on any Windows computer running Microsoft Edge and exploitable using the CVE-2018-8495 vulnerability, all users that have installed Microsoft's October 2018 security patches are safe.