CVE-2022-41128

What is Windows JScript9?

JScript9 is Microsoft's legacy JavaScript engine, originally developed for Internet Explorer 9 and later versions. Despite Internet Explorer's official retirement in June 2022, JScript9 remains present in Windows through IE Mode in Microsoft Edge (which allows enterprise web applications requiring Internet Explorer compatibility to open in an embedded IE 11 rendering engine within Edge) and through the legacy iexplore.exe process. JScript9 is also embedded in Windows' script hosting infrastructure (wscript.exe, cscript.exe) and used by some Office components for macro scripting. Out-of-bounds write vulnerabilities in JScript9 allow attackers who can cause JScript9 to execute crafted JavaScript — through IE mode, malicious documents with embedded scripts, or social engineering — to achieve remote code execution in the JScript9 host process.

Overview

CVE-2022-41128 is an out-of-bounds write vulnerability (CWE-787) in the Windows JScript9 scripting engine that allows a remote attacker to achieve code execution when a user browses to a maliciously crafted web page in Internet Explorer or IE Mode, or opens a malicious document that triggers JScript9 execution. Microsoft patched it on November 8, 2022 as an actively exploited zero-day — simultaneously added to CISA KEV one day before NVD publication. Google's Threat Analysis Group (TAG) attributed active exploitation to North Korean state-sponsored threat actor APT37 (InkySquid/Reaper) in targeted phishing campaigns.

Affected Versions

Technical Details

An out-of-bounds write (CWE-787) in JScript9 occurs during JavaScript parsing, compilation, or runtime execution when the engine processes crafted JavaScript code that triggers a memory write beyond the bounds of a heap-allocated buffer. The exploitation pattern:

1. Deliver malicious content to JScript9 — the attacker serves a crafted web page to a victim using Internet Explorer or IE Mode in Edge, or distributes a malicious document that triggers JScript9 (e.g., a crafted HTML application or Office document with embedded script)
2. Trigger the out-of-bounds write — the crafted JavaScript executes a specific code path in JScript9 that writes beyond the boundary of an allocated heap buffer
3. Corrupt JScript9 heap structures — the write corrupts adjacent memory in the JScript9 engine process (Internet Explorer, iexplore.exe, or the host process)
4. Achieve code execution — leverage the heap corruption to manipulate JScript9 internal structures (typed arrays, function objects, or garbage collector metadata) to execute arbitrary code in the host process

The UI:R (user interaction required) reflects that the victim must open the malicious content — browse to the crafted URL in IE/IE Mode, or open a document that triggers JScript9 execution.

Discovery

CVE-2022-41128 was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG), who identified it being actively exploited by North Korean threat actor APT37 (InkySquid / Reaper) in targeted phishing campaigns. APT37 used this JScript9 zero-day to target South Korean citizens and organizations. The attack chain delivered phishing emails containing malicious links that, when opened in Internet Explorer or via IE Mode, triggered the JScript9 zero-day to execute APT37 malware.

Exploitation Context

APT37 (InkySquid, Reaper, ScarCruft) is a North Korean state-sponsored threat group that primarily targets South Korean government entities, defense contractors, journalists, and human rights organizations, as well as North Korean defectors. APT37's use of CVE-2022-41128:

• Delivered phishing emails to South Korean targets with URLs designed to open in IE Mode or legacy Internet Explorer contexts
• The JScript9 zero-day executed in the IE/IE Mode process, dropping APT37 malware (including the ROKRAT backdoor) onto the victim's system
• South Korean news topics and government-related lures were used as phishing pretexts

IE Mode in Microsoft Edge presents a persistent JScript9 attack surface for organizations that have configured Edge to open specific enterprise web application URLs in IE Mode — any such configuration opens the JScript9 engine to exploitation when the user is navigated to a malicious page in that mode.

Remediation

1. Apply the November 2022 Windows cumulative update — patches CVE-2022-41128 in the JScript9 engine.
2. Disable IE Mode in Microsoft Edge — for organizations that do not require IE Mode for legacy applications, disable the feature via Group Policy to eliminate the JScript9 attack surface entirely.
3. Configure IE Mode site list strictly — if IE Mode is required for specific legacy applications, configure an explicit site list (Enterprise Site List Manager) containing only the required legacy application URLs; prevent arbitrary URLs from opening in IE Mode.
4. Remove iexplore.exe from the system — post-IE retirement, the iexplore.exe binary can be removed or disabled on systems that do not use IE Mode, eliminating the standalone IE attack surface.
5. Deploy URL filtering — block navigation to malicious URLs at the proxy/DNS layer; APT37 phishing campaigns rely on users clicking links to attacker-controlled domains.