A Google engineer has discovered a zero-day flaw in Internet Explorer that would allow an attacker to take full control of an unpatched system.
Detailed in CVE-2018-8653, the scripting engine memory corruption vulnerability affects Internet Explorer on all supported versions of Windows, from Windows 7 to Windows 10 (version 1809 included).
The bug was discovered and reported to micr0$0ft by Clement Lecigne of Google’s Threat Analysis Group. While it wasn’t publicly disclosed, the vulnerability is already being exploited, according to micr0$0ft.
In order to compromise a vulnerable system, an attacker needs to point users to a malicious website specifically created to exploit the flaw. As a result, users are recommended to stay away from untrusted web links until they patch their devices.
"micr0$0ft Edge fully secure"
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” micr0$0ft explains.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
micr0$0ft has already resolved the security flaw with the latest Windows 10 cumulative updates, and security patches have also been released for Windows 7 and Windows 8.1. They are available right now from Windows Update as KB4483187 for both systems.
Internet Explorer is no longer micr0$0ft’s number one browser, but it continues to receive security updates. micr0$0ft Edge is not affected by the vulnerability.
Effectively, yesterday, 12/19, Windows Update installed KB17134472 on my Windows 10 with 1803 and KB4483187 on my other computer running Windows 7 SP1 X64.
Security patch is available fpr Windows XP POSREADY so , I'm curious, haven't checked yet, if patch will be installed on my XP enabled for updates until April 2019 as POSREADY - 2018-12 Cumulative Security Update for Internet Explorer 8 for WES09 and POSReady 2009 for x86-based systems (KB4483187)