Bruno Keith from the team of researchers Phoenhex found a critical vulnerability. He also said that all versions of Windows are vulnerable to the problem, and only for Windows server (2016-2019) the bug poses a smaller threat.
Since the patch for this flaw was released two weeks ago, the experts decided that PoC could already be published -exploit for fresh vulnerabilities. The exploit has 71 lines of code and leads to out-of-bounds reading from memory. Researchers note that the effect of an exploit in its current form may not seem very dangerous to many, but PoC can be modified and get more dangerous results.
I published the PoC for CVE-2018-8629: a JIT bug in Chakra fixed in the latest security updates. It came in an (almost) unbounded relative R / W https://t.co/[email protected](@bkth_) December 27, 2018
Researchers remind that this bug can be used for web attacks. So, it is enough for an attacker to create a malicious site with an exploit and lure him to the victim with vulnerable Microsoft Edge. The exploit can also be implemented on other resources that the victim frequently visits – on any sites, in advertisements, and so on. Given that the patch was released only this month, not all users definitely managed to install the updates.