Technical Information

Brief overview of the risk:
This security update resolves ASLR security feature bypasses in the JScript and VBScript scripting engines in Microsoft Windows. An attacker could use one of these ASLR bypasses in conjunction with another vulnerability, such as a remote code execution vulnerability, to more reliably run arbitrary code on a target system.

Detailed Information on the risk:

A security feature bypass exists when the VBScript engine fails to use the Address Space Layout Randomization (ASLR) security feature, allowing an attacker to more reliably predict the memory offsets of specific instructions in a given call stack. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use the ASLR bypass in conjunction with another vulnerability, such as a remote code execution vulnerability, to more reliably run arbitrary code on a target system. In a web-browsing scenario, successful exploitation of an ASLR bypass requires that a user is logged on and running an affected version of Internet Explorer, and browses to a malicious site.

Further information on this exploit is available at : MS15-053

JScript 5.6 and VBScript 5.6
JScript 5.7 and VBScript 5.7