Microsoft issues emergency patch to fix serious Internet Explorer zero-day vulnerability
Microsoft has issued an emergency, out-of-band patch for an Internet Explorer zero-day that was being actively exploited in targeted attacks.
The company says that it learned about the vulnerability through a report from Google. CVE-2018-8653 affects a range of versions of Internet Explorer from 9 to 11, across Windows 7 to 10 and Windows Server.
- Latest Windows 10 preview build is an early Christmas present for Insiders, with Windows Sandbox and other treats
- Microsoft has made a free Office app for Windows 10
- Microsoft announces Windows Sandbox, a desktop environment for running applications in isolation
The vulnerability amounts to a remote code execution exploit, and it was first spotted by Google's Threat Analysis Group. Microsoft explains that a problem with Internet Explorer's scripting engine could be exploited by an attacker to execute arbitrary code on a victim's computer.
In a short security advisory, the company says:
Today, we released a security update for Internet Explorer after receiving a report from Google about a new vulnerability being used in targeted attacks.
Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates.
Microsoft would like to thank Google for their assistance.
In a more detailed security vulnerability posting, Microsoft explains the impact of the problem:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.
If you have automatic updates enabled, you should already have the patch installed, but if not, now is the time to manually scan for updates.