Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Microsoft urgently releases Out-of-Band patch for an active Internet Explorer remote code execution zero-day vulnerability

Save for later
  • 3 min read
  • 20 Dec 2018

article-image

Yesterday, Microsoft released an out-of-band patch for a vulnerability discovered in the Internet Explorer that attackers are actively exploiting on the Internet. The IE zero-day can allow an attacker to execute malicious code on a user's computer.

The vulnerability has been assigned ID CVE-2018-8653 and the security update is released as KB4483187; titled "Cumulative security update for Internet Explorer: December 19, 2018". It is available for Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, and Internet Explorer 9 on Windows Server 2008.

Microsoft has acknowledged Clement Lecigne of Google’s Threat Analysis Group for reporting the exploitation of this Internet Explorer vulnerability. Apart from the security advisory released yesterday, neither Microsoft or Google has shared any details about the attacks involving the flaw.

Vulnerability Details


According to Microsoft's security advisory, the remote code execution vulnerability was found in IE’s memory handling in Jscript.dll.  An attacker could corrupt IE’s memory to allow code execution on the affected system. The attacker could convince a user to visit a malicious website, which could then exploit this vulnerability, executing code on the user’s local machine.

After exploiting the vulnerability, the attackers would be able to perform commands on the victim's system such as downloading further malware, scripts, or executing any command that the currently logged in user has access to. The issue can also be exploited through applications that embed the IE scripting engine to render web-based content such as the apps part of the Office suite.

According to Microsoft, the attacker will get code execution rights under the same privileges the victims have. If the victim is using an account with limited access, the damage can be contained to simple operations, however, in case of a user having administrator rights, the attacker can increase the scope of the damage done.

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at £16.99/month. Cancel anytime

Mitigations and Workarounds


According to ZDNet, in the previous four months, Microsoft has patched four other zero-days. All these zero-days allow an "elevation of privilege". This means that if a victim has missed any of the previous four Windows Patch Tuesday patches, an attacker can chain the IE zero-day with one of the previous zero-days (CVE-2018-8611, CVE-2018-8589, CVE-2018-8453, CVE-2018-8440) to gain SYSTEM-level access, and take over a targeted computer.

Microsoft has assured customers who have Windows Update enabled and have applied the latest security updates that they are automatically protected against exploits. They have advised users to install the update as soon as possible, even if they don't normally use IE to browse sites.

For those who want to mitigate the vulnerability until the update is installed, they can do the same by removing privileges to the jscript.dll file for the Everyone group. According to Microsoft, using this mitigation will not cause problems with Internet Explorer 11,10, or 9 as they use the Jscript9.dll by default. There are no workarounds listed on the security advisory for this vulnerability.

Read the full security advisory on Microsoft’s blog.

Microsoft announces Windows DNS Server Heap Overflow Vulnerability, users dissatisfied with patch details
Microsoft calls on governments to regulate Facial recognition tech now, before it is too late
NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release