New issue
Advanced search Search tips

Issue 1669 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 19
Cc:



Sign in to add a comment

Windows: VBScript execution policy bypass via MSXML

Project Member Reported by ifratric@google.com, Sep 19

Issue description

According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default.

However, the VBScript execution policy does not appear to cover VBScript code in MSXML xsl files which can still execute VBScript, even when loaded from the Internet Zone.

To demonstrate, place the files in the attached archive on a web server in the Internet zone and open index.html. If successful, the text "Hello from VBscript" will be rendered on the page. If you look at the provided code, this text is assembled dynamically by VBScript.

This has been tested on Windows 10 Version 1803 with the latest patches applied and VBScript execution policy applied for the Internet Zone (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\140C = 3).


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

 
bypass.zip
967 bytes Download
Project Member

Comment 1 by ifratric@google.com, Dec 19

Labels: CVE-2018-8619
Status: Fixed (was: New)
Fixed in December update
Project Member

Comment 2 by ifratric@google.com, Dec 19

Labels: -Restrict-View-Commit

Sign in to add a comment