Microsoft has issued an out of band update for Internet Explorer to rectify a vulnerability that is being actively exploited. The Internet Explorer vulnerability was found by Clement Lecigne at Google’s Threat Analysis Group, who informed Microsoft of the vulnerability.
The remote code execution vulnerability, tracked as CVE-2018-8653, is in the Internet Explorer scripting engine, which manages memory objects. If the vulnerability is abused, an attacker might corrupt the memory in a way that lets the implementation of arbitrary code with the same level of rights as the existing user.
If the attack happens while a user is logged in that has administrative privileges, an attacker would be able to take complete control of the user’s appliance and connect programs, modify or erase data, or create new accounts with complete admin privileges.
For the vulnerability to be exploited, a user would need to visit a specifically created web page having the exploit code. This might be achieved through malvertising – malevolent advertisements that redirect users to the malevolent webpages – or by sending electronic mails having a hyperlink to the malevolent web page.
Updates have been issued for:
- Internet Explorer 11 on Windows 10
- Windows 8.1
- Windows 7 SP1
- Internet Explorer 10 on Windows Server 2012
- Internet Explorer 9 on Windows Server 2008
Obviously, the updates must be applied as soon as possible, even though temporary measures can be taken until the update is applied to defend against attack. Microsoft proposes rights to the jscript.dll file for the Everyone group must be removed. This will not have any unfavorable effects for users of Internet Explorer 9, 10, or 11, which use the jscript9.dll file by default.
To modify rights on 32-bit systems, enter the following command at an admin command prompt:
cacls %windir%\system32\jscript.dll /E /P everyone:N
On 64-bit systems, enter the following command:
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
No details have been issued to date on present attacks that are abusing this vulnerability. Google has yet to provide that information to Microsoft.