On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE
Update Internet Explorer now after Google detects attacks in the wild
Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers.
The vulnerability, CVE-2018-8653, is a remote-code execution hole in the browser's scripting engine.
Visiting a malicious website abusing this bug with a vulnerable version of IE is enough to be potentially infected by spyware, ransomware or some other software nasty. Thus, check Microsoft Update and install any available patches as soon as you can.
Any injected code will run with the privileges of the logged-in user, which is why browsing the web using Internet Explorer as an administrator is like scratching an itch with a loaded gun.
According to Redmond:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
While exploit code for the bug has not been publicly disclosed, it is being leveraged in the wild to attack victims, according to Microsoft, hence why the patches are being flung out today out-of-band, rather than slipping them into January's Patch Tuesday.
Clement Lecigne of Google’s Threat Analysis Group is credited for uncovered the flaw. We've pinged Google for more details on how miscreants are abusing the programming blunder.
A spokesperson for Microsoft's security team said: "Today, we released a security update for Internet Explorer after receiving a report from Google about a new vulnerability being used in targeted attacks.
"Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates. Microsoft would like to thank Google for their assistance."
Internet Explorer 9 to 11 on Windows 7 to 10, Server 2008 to 2019, and RT 8.1 are affected, though the server editions run IE in a restricted mode that should thwart attacks via this vulnerability.
One workaround, if you want to hold off on installing patches immediately, is to disable access to
JScript.dll using the commands listed by Microsoft in its above-linked advisory. That will force IE to use
Jscript9.dll, which is not affected by the flaw. Any websites that rely on
Jscript.dll will break, though.
A possible alternative is to not use Internet Explorer, of course. ®