CVE-2024-38178

What is the Windows Scripting Engine?

The Windows Scripting Engine (jscript9.dll) is Microsoft's legacy JavaScript and JScript runtime, originally used by Internet Explorer and still present in Windows as a system component. Despite Internet Explorer's retirement, jscript9.dll remains on all Windows systems and can be invoked by applications using the MSHTML rendering engine — including Microsoft Edge's Internet Explorer (IE) compatibility mode, some legacy applications that embed MSHTML, and Windows components that use the Scripting Engine for automation. Vulnerabilities in jscript9.dll are exploitable when a victim's browser is configured to use IE mode or when a legacy application using MSHTML processes malicious content.

Overview

CVE-2024-38178 is a type confusion memory corruption vulnerability in the Windows Scripting Engine that allows an unauthenticated attacker to achieve remote code execution via a specially crafted URL. Exploitation requires the victim to use Microsoft Edge in Internet Explorer mode and follow a link to the malicious page — creating a social engineering prerequisite that explains the High Attack Complexity (AC:H) rating. Microsoft and CISA simultaneously disclosed this as a zero-day on August 13, 2024. It was reported by AhnLab and the National Cyber Security Centre (NCSC) of South Korea, indicating exploitation was observed targeting South Korean users — consistent with North Korean APT activity.

Affected Versions

Technical Details

CWE-843 (Access of Resource Using Incompatible Type / Type Confusion). The Scripting Engine contains a type confusion flaw in its JScript object handling — a similar root cause to V8 type confusion bugs, but in the legacy jscript9.dll rather than the modern V8 engine. When the scripting engine processes JavaScript that causes an object to be treated as the wrong type, memory is read or written using incorrect type layouts, corrupting the heap. In the scripting engine context, this typically yields a code execution primitive within the jscript9.dll execution context.

The exploitation prerequisite — IE mode in Microsoft Edge — means the attacker must deliver a URL to the victim and convince them to open it specifically in a browser configured to use IE mode. This is a real constraint in most environments, but in organizations that still use IE mode for legacy intranet applications (a common scenario in South Korean enterprises with legacy ERP and banking applications that still require IE), it is a viable attack path.

Discovery

Reported by AhnLab and the Korea National Cyber Security Centre (NCSC Korea). Attribution to South Korean defenders suggests exploitation was detected in campaigns targeting South Korean organizations — consistent with North Korean APT groups (APT37/ScarCruft, Lazarus Group) that routinely target South Korean government, defense, and financial institutions.

Exploitation Context

The AhnLab/NCSC Korea discovery fingerprints this as exploitation of South Korean organizations using IE mode — a legacy compatibility requirement common in Korean enterprise environments where older government portals and banking applications require Internet Explorer. North Korean APT groups regularly exploit legacy Windows components that remain active in Korean enterprise environments because of high IE mode adoption rates there.

Remediation

1. Apply the August 2024 Windows security updates (Patch Tuesday, August 13, 2024).
2. Disable Internet Explorer mode in Microsoft Edge where it is not required for business purposes — this eliminates the jscript9.dll attack surface entirely for most users.
3. If IE mode is required, restrict it to a specific allowlist of trusted intranet sites via Group Policy rather than allowing arbitrary URLs to be opened in IE mode.
4. Block outbound navigation from IE mode to external/internet URLs using Edge IE mode site list policies.