Microsoft releases security update for new IE zero-day
Microsoft has released an out-of-band security update today, December 19, for an Internet Explorer vulnerability that is currently being abused in the wild.
The OS maker credited Clement Lecigne of Google’s Threat Analysis Group with discovering and reporting the IE zero-day.
According to a security advisory released at the same time with the update package, the IE zero-day can allow an attacker to execute malicious code on a user’s computer.
Tracked as CVE-2018-8653, this zero-day can be exploited in web-based scenarios, where an attacker lures a user on a malicious site that runs malicious code on his computer.
The issue can also be exploited via applications that embed the IE scripting engine to render web-based content –such as the apps part of the Office suite.
The good news, according to Microsoft, is that the attacker will get code execution rights under the same privileges the victim’s user has. If the victim is using an account with limited access, the damage can be contained to simple operations, albeit this might be enough to plant malware on a victim’s computer.
However, things are a little more complicated. In the previous four months, Microsoft has patched four other zero-days. All these zero-days allow something called “elevation of privilege.”
This means that if a victim has missed any of the previous four Windows Patch Tuesday patches, an attacker can chain the IE zero-day with one of the previous zero-days (CVE-2018-8611, CVE-2018-8589, CVE-2018-8453, CVE-2018-8440) to gain SYSTEM-level access, and immediately take over a targeted computer.
This is why it is extremely important that users keep their systems up to date, especially with Microsoft’s recent security updates.
Microsoft has released today KB4483187, KB4483230, KB4483234, KB 4483235, KB4483232, KB4483228, KB4483229, and KB4483187 to address the IE zero-day.
With the winter holiday coming fast for many IT departments, some administrators might not have the time to test and deploy today’s security update.
Microsoft has anticipated this inconvenience, and the CVE-2018-8653 security advisory also contains workarounds for restricting access to the IE scripting engine, until system administrators can deploy today’s official patch.
Microsoft Edge, the company’s latest browser, is not impacted by this zero-day.