On the first day of Christmas, Microsoft gave to me… an emergency out-of-band security patch for IE

Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers.

The vulnerability, CVE-2018-8653, is a remote-code execution hole in the browser’s scripting engine.

Visiting a malicious website abusing this bug with a vulnerable version of IE is enough to be potentially infected by spyware, ransomware or some other software nasty. Thus, check Microsoft Update and install any available patches as soon as you can.

Any injected code will run with the privileges of the logged-in user, which is why browsing the web using Internet Explorer as an administrator is like scratching an itch with a loaded gun.

According to Redmond:

While exploit code for the bug has not been publicly disclosed, it is being leveraged in the wild to attack victims, according to Microsoft, hence why the patches are being flung out today out-of-band, rather than slipping them into January’s Patch Tuesday.

Clement Lecigne of Google’s Threat Analysis Group is credited for uncovered the flaw. We’ve pinged Google for more details on how miscreants are abusing the programming blunder.

A spokesperson for Microsoft’s security team said: “Today, we released a security update for Internet Explorer after receiving a report from Google about a new vulnerability being used in targeted attacks.

“Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates. Microsoft would like to thank Google for their assistance.”

Internet Explorer 9 to 11 on Windows 7 to 10, Server 2008 to 2019, and RT 8.1 are affected, though the server editions run IE in a restricted mode that should thwart attacks via this vulnerability.

One workaround, if you want to hold off on installing patches immediately, is to disable access to JScript.dll using the commands listed by Microsoft in its above-linked advisory. That will force IE to use Jscript9.dll, which is not affected by the flaw. Any websites that rely on Jscript.dll will break, though.

A possible alternative is to not use Internet Explorer, of course. ®

READ MORE HERE