Microsoft releases emergency patch for zero-day in Internet Explorer

• Google security researcher finds remote code execution zero-day flaw in Internet Explorer’s scripting engine from exploits in the wild
• The vulnerability could allow an attacker to gain control of the target system, install malicious programs, create other user accounts, and read or modify data

Internet Explorer may have gone out of use for many people but it still retains its place on many Windows systems. As long as it remains active, its security maintenance is also important.

Normally, Microsoft releases patches for its various software in a fixed schedule. However, certain emergencies may need a priority patch release. Yesterday, Microsoft released an out-of-band update for Internet Explorer to fix a zero-day vulnerability found recently from exploits in the wild.

Clement Lecigne from Google’s Threat Analysis Group, found a remote code execution (RCE) flaw in Internet Explorer’s scripting engine and reported it to Microsoft. This vulnerability, tracked as CVE-2018-8653, is the reason behind the sudden update.

The Internet Explorer versions affected by this flaw are IE 9 on Windows Server 2008, IE 10 on Windows Server 2012, IE 11 from Windows 7 to Windows 10, and IE 11 on Windows Server 2019, Windows Server 2016, Windows Server 2008 R2, Windows Server 2012 R2.

The flaw originates from the way the scripting engine handles memory objects in Internet Explorer, as per the security advisory from Microsoft. The vulnerability could allow attackers to execute arbitrary code from the users’ context.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft reported. Furthermore, the security advisor stated, “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”

Reportedly, the vulnerability was discovered from exploits in the wild by Google’s security researchers. However, neither any technical details of the exploit nor any ongoing cyber attack campaigns exploiting this flaw have been reported by Google or Microsoft.

Since it is a critical zero-day bug, all users are advised to update their Internet Explorer to the latest version. “Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates,” Microsoft said.