Microsoft pledges to patch Internet Explorer bug that is being actively exploited
Microsoft says it is working on a fix for a serious security vulnerability in Internet Explorer. The bug affects versions 9, 10 and 11 of the browser in Windows 7, 8.x, 10, Windows Server 2008 and 2012.
The memory handling bug can be exploited by an attacker to run malicious code on a target computer, but despite its severity, Microsoft is unlikely to release the fix before next month's Patch Tuesday. News of the vulnerability comes just days after Microsoft ended support for Windows 7.
- Microsoft turns the screws on Windows 7 users with full-screen upgrade warnings
- Microsoft is rolling out Chromium-based Edge to everyone from today, but it's missing important features
- Microsoft's Windows 7 end-of-life advice: 'buy a Surface'
While the vulnerability is labeled as Critical for users of Windows 7, 8.x and 10, the rating for Windows Server is merely Moderate. This is because Windows Server runs Internet Explorer using Enhanced Security Configuration, a more restricted mode which limits the risk of exploitation.
News of the vulnerability was broken on Twitter by US-CERT:
VU#338824: Microsoft Internet Explorer Scripting Engine memory corruption vulnerability https://t.co/VAnKfBDdLU
— US-CERT (@USCERT_gov) January 18, 2020
The tweet links to an article which explains:
Microsoft Internet Explorer contains a scripting engine, which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability.
This vulnerability was detected in exploits in the wild.
In a security advisory posted on its own website, Microsoft warns:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
Until a patch is released, the advice is to restricted access to the file JScript.dll. Microsoft provides details of this workaround in its advisory.
As Windows 7 is no longer support by Microsoft, we're not expecting it to release a patch for this version of the operating system. We have contacted the company for confirmation, and will update this story when we hear back.