Here’s one more reason to hurry with the implementation of the latest Microsoft patches: a PoC exploit for a remote code execution vulnerability that can be exploited via Microsoft Edge has been published and can be easily adapted by attackers.
About the vulnerability (CVE-2018-8495)
CVE-2018-8495 exists because Windows Shell improperly handles special characters in URIs (it does not sanitize them).
“There are multiple issues with the way the product handles URIs within certain schemes. The product does not warn the user that a dangerous navigation is about to take place,” Trend Micro’s Zero Day Initiative (ZDI) explains in the advisory. “An attacker can manipulate the user interface so that the user’s action is interpreted as permission to proceed with opening a dangerous file.”
Full Article.