Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Microsoft issues out-of-band patch for exploited memory corruption bug in Internet Explorer

Microsoft Corporation yesterday released an emergency patch for a remote code execution vulnerability in Internet Explorer that attackers have been actively exploiting in the wild.

Designated CVE-2018-8653, the zero-day memory corruption bug results from the mishandling of objects in memory by the JScript component of Internet Explorer's scripting engine, according to an official advisory from Microsoft, as well as a separate advisory published by the CERT Coordination Center at Carnegie Mellon's Software Engineering Institute. Found in versions 9, 10 and 11 of IE, the flaw is considered critical on certain Windows platforms, and of moderate severity on others.

Attackers can capitalize on this vulnerability by tricking victims into viewing a malicious website/HTML document or opening specially crafted PDFs, Microsoft Office files, or other docs that support embedded IE scripting engine content. In such a scenario, the attackers could gain the same level of privilege as the current user.

If the current user has admin privileges, that means the attackers "could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft warns in its official advisory.

The bug's discovery is credited to Clement Lecigne of Google’s Threat Analysis Group. No further details are currently available regarding the zero-day attacks that sought to capitalize on the flaw.

Microsoft says that users can lessen the vulnerability's impact by restricting access to the jscript.dll file via a special command. This workaround would affect only those websites that specifically request the use of jscript as a scripting engine. But many other websites would still function as intended because under its default settings IE doesn't normally use jscript.dll. More typically, IE instead uses Jscript9.dll, which does not contain the vulnerability.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.