Microsoft has been forced to release an emergency patch for a critical remote code execution vulnerability in Internet Explorer (IE) being actively exploited in the wild.
Clement Lecigne of Google’s Threat Analysis Group is credited with the discovery of the flaw (CVE-2018-8653), which apparently affects the way that the scripting engine handles objects in memory in IE.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft explained.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Redmond claimed that in a web-based attack, a hacker could host a malicious website designed to exploit the bug through IE and then trick the user into visiting, ie via a phishing email.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory, it added.
“While details are not currently available, in most cases, attackers exploit similar vulnerabilities by sending convincing emails to their intended targets with a link to a specially crafted website containing the exploit code,” Satnam Narang, senior research engineer at Tenable.
“The vulnerability affects Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019. Internet Explorer 9 is affected on Windows Server 2008, while Internet Explorer 10 is affected on Windows Server 2012. As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise."