A proof-of-concept (POC) has been released for an exploit of a recently patched Microsoft Edge vulnerability.
The Windows Shell Remote Code Execution (RCE) vulnerability (CVE-2018-8495) exists when Windows Shell improperly handles URIs. The bug was patched this past Tuesday as part of Microsoft’s October security updates.
Trend Micro’s Zero Day Initiative (ZDI) released an updated security advisory on the threat:
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page and perform a UI action.”
A security researcher Abdulrahman Al-Qabandi published the Microsoft Edge RCE exploit POC and video in a blog post.
“Chaining a few bugs in Edge I was able to achieve remote code execution by mainly abusing custom URI schemes,” Al-Qabandi said.
The researcher previously disclosed the vulnerability exploit to ZDI.