Actively Misused Internet Explorer Fault Repaired by Microsoft

Microsoft has released an out of band update for Internet Explorer to rectify a weakness that is being actively misused in the wild. The Internet Explorer fault was found by Clement Lecigne at Google’s Threat Analysis Group, who informed the weakness to Microsoft.

The distant code execution fault, traced as CVE-2018-8653, is in the Internet Explorer scripting engine, which manages memory objects. If the fault is abused, an attacker might corrupt the memory in a way that lets the implementation of arbitrary code with the same level of rights as the existing user.

If the attack happens while a user is logged in that has administrative privileges, an attacker would be able to take complete control of the user’s appliance and connect programs, modify or erase data, or create new accounts with complete admin privileges.

For the fault to be abused, a user would need to visit a specifically created web page having the exploit code. This might be achieved through malvertising – malevolent advertisements that redirect users to the malevolent webpages – or by sending electronic mails having a hyperlink to the malevolent web page.

Updates have been issued for:

  • Internet Explorer 11 on Windows 10
  • Windows 8.1
  • Windows 7 SP1
  • Internet Explorer 10 on Windows Server 2012
  • Internet Explorer 9 on Windows Server 2008

Obviously, the updates must be applied as soon as possible, even though temporary measures can be taken until the update is applied to defend against attack. Microsoft proposes rights to the jscript.dll file for the Everyone group must be removed. This will not have any unfavorable effects for users of Internet Explorer 9, 10, or 11, which use the jscript9.dll file by default.

To modify rights on 32-bit systems, enter the following command at an admin command prompt:

cacls %windir%\system32\jscript.dll /E /P everyone:N

On 64-bit systems, enter the following command:

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

No details have been issued to date on present attacks that are abusing this weakness. Google has yet to provide that information to Microsoft.