Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

On the first day of Christmas, MS gave to me, an emergency out-of-band security patch for IE
The Register ^ | Dec 19, 2018 | Chris Williams

Posted on 12/20/2018 7:03:22 PM PST by dayglored

Update Internet Explorer now after Google detects attacks in the wild

Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers.

The vulnerability, CVE-2018-8653, is a remote-code execution hole in the browser's scripting engine.

Visiting a malicious website abusing this bug with a vulnerable version of IE is enough to be potentially infected by spyware, ransomware or some other software nasty. Thus, check Microsoft Update and install any available patches as soon as you can.

Any injected code will run with the privileges of the logged-in user, which is why browsing the web using Internet Explorer as an administrator is like scratching an itch with a loaded gun.

According to Redmond:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

While exploit code for the bug has not been publicly disclosed, it is being leveraged in the wild to attack victims, according to Microsoft, hence why the patches are being flung out today out-of-band, rather than slipping them into January's Patch Tuesday.

Clement Lecigne of Google’s Threat Analysis Group is credited for uncovered the flaw. We've pinged Google for more details on how miscreants are abusing the programming blunder.

A spokesperson for Microsoft's security team said: "Today, we released a security update for Internet Explorer after receiving a report from Google about a new vulnerability being used in targeted attacks.

"Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates. Microsoft would like to thank Google for their assistance."

Internet Explorer 9 to 11 on Windows 7 to 10, Server 2008 to 2019, and RT 8.1 are affected, though the server editions run IE in a restricted mode that should thwart attacks via this vulnerability.

One workaround, if you want to hold off on installing patches immediately, is to disable access to JScript.dll using the commands listed by Microsoft in its above-linked advisory. That will force IE to use Jscript9.dll, which is not affected by the flaw. Any websites that rely on Jscript.dll will break, though.

A possible alternative is to not use Internet Explorer, of course. ®


TOPICS: Business/Economy; Computers/Internet; Hobbies
KEYWORDS: ie; microsoft; patch; windows; windowspinglist
Navigation: use the links below to view more comments.
first previous 1-2021-24 last
To: dayglored

Both IE users will be glad to hear this.


21 posted on 12/21/2018 8:14:37 AM PST by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: grey_whiskers

LOL, GMTA. I was going to post that same meme.


22 posted on 12/21/2018 8:15:58 AM PST by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 15 | View Replies]

To: mabarker1

Abacas !

Chalk Board !

AM / FM radio and Siphon hose in the truck !

Computer , news papers, magazines and books at public library !

Life is good ......


23 posted on 12/21/2018 9:16:10 AM PST by Squantos (Be polite, be professional, but have a plan to kill everyone you meet ...)
[ Post Reply | Private Reply | To 13 | View Replies]

To: mabarker1

at least ya don’t have to change the battery


24 posted on 12/21/2018 3:04:55 PM PST by Chode ( WeÂ’re America, Bitch!)
[ Post Reply | Private Reply | To 13 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-24 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson