26.12.18

Microsoft issues emergency fix for Internet Explorer zero-day

Details are sparse about a security hole that Microsoft said is being exploited in targeted attacks
Microsoft rolled out an emergency security update on Wednesday to patch a zero-day vulnerability in its Internet Explorer (IE) web browser that malicious actors are exploiting in the wild to hack into Windows computers.
The security hole – classified as a remote-code execution vulnerability and tracked as CVE-2018-8653 – resides in IE’s scripting engine, specifically in how the engine handles objects in memory. If exploited, the flaw gives the attacker the same privileges as those of the current user.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” reads Microsoft’s advisory.
Cyber-criminals could exploit the memory-corruption vulnerability and infiltrate Windows machines, for example, by luring IE users to visit a malicious website.
The out-of-band update to plug in the hole in IE9, IE10 and IE11 was made available for Windows 7, 8.1 and 10 systems, as well as Windows Server 2008, 2012, 2016, and 2019. Users are strongly recommended to apply the latest updates as soon as possible.
“Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates,” wrote Microsoft, which credited Google’s Threat Analysis Group with reporting the vulnerability.
Microsoft’s supporting documentation also provides guidance for Windows users and/or administrators who want to address the flaw via workarounds in case they’re unable to apply the fix immediately.