Microsoft Corporation yesterday released an emergency patch for a remote code execution vulnerability in Internet Explorer that attackers have been actively exploiting in the wild.
Designated CVE-2018-8653, the zero-day memory corruption bug results from the mishandling of objects in memory by the JScript component of Internet Explorer’s scripting engine, according to an official advisory from Microsoft, as well as a separate advisory published by the CERT Coordination Center at Carnegie Mellon’s Software Engineering Institute. Found in versions 9, 10 and 11 of IE, the flaw is considered critical on certain Windows platforms, and of moderate severity on others.
Attackers can capitalize on this vulnerability by tricking victims into viewing a malicious website/HTML document or opening specially crafted PDFs, Microsoft Office files, or other docs that support embedded IE scripting engine content. In such a scenario, the attackers could gain the same level of privilege as the current user.
If the current user has admin privileges, that means the attackers “could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft warns in its official advisory.
The bug’s discovery is credited to Clement Lecigne of Google’s Threat Analysis Group. No further details are currently available regarding the zero-day attacks that sought to capitalize on the flaw.
Microsoft says that users can lessen the vulnerability’s impact by restricting access to the jscript.dll file via a special command. This workaround would affect only those websites that specifically request the use of jscript as a scripting engine. But many other websites would still function as intended because under its default settings IE doesn’t normally use jscript.dll. More typically, IE instead uses Jscript9.dll, which does not contain the vulnerability.