Stories
Slash Boxes
Comments

SoylentNews is people

Microsoft Delivers Emergency Patch for Under-Attack IE

posted by Fnord666 on Thursday December 20 2018, @11:31AM   Printer-friendly
from the people-still-use-IE? dept.

upstart writes:

Submitted via IRC for Bytram

Microsoft delivers emergency patch for under-attack IE

Microsoft rarely mentions Internet Explorer (IE) anymore, but when it does, it usually means bad news.

So it was Wednesday, when Microsoft issued a rare emergency security update to plug a critical vulnerability in the still-supported IE9, IE10 and IE11. The flaw was reported to Microsoft by Google security engineer Clement Lecigne.

According to Microsoft, attackers are already exploiting the vulnerability, making it a classic "zero-day" bug. Because of that, the company released a fix before the next round of security updates scheduled for Jan. 8.

The update was issued to Windows 7, 8.1 and 10 - the latter with patches for versions 1607 and later - as well as Windows Server 2008, 2012, 2016 and 2019. (Updates for some versions of Windows 10 - 1607 and 1703 - were available only to Windows 10 Enterprise and Windows 10 Education.)

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," Microsoft stated in the CVE-2018-8653 support document. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."

The vulnerability could be exploited simply by drawing users running IE9, IE10 or IE11 to a malicious website, perhaps with a phishing email.

[...] The IE security fix will be automatically offered, downloaded and installed on most unmanaged Windows PCs.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Microsoft Delivers Emergency Patch for Under-Attack IE | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by looorg on Thursday December 20 2018, @01:06PM (4 children)

    by looorg (578) on Thursday December 20 2018, @01:06PM (#776782)

    Microsoft rarely mentions Internet Explorer (IE) anymore, but when it does, it usually means bad news.

    Was there really a time when IE wasn't bad news? I can't recall ever hearing someone praise IE for it being good. Not even when it was brand spanking new, it was then still inferior to Netscape Navigator etc.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Funny) by Runaway1956 on Thursday December 20 2018, @03:18PM (1 child)

    by Runaway1956 (2926) Subscriber Badge on Thursday December 20 2018, @03:18PM (#776808) Journal

    found a script to download and install Arch Linux over the Windows install.

    • (Score: 3, Funny) by ElizabethGreene on Thursday December 20 2018, @03:26PM

      by ElizabethGreene (6748) Subscriber Badge on Thursday December 20 2018, @03:26PM (#776814) Journal

      You did? Check your IDA settings, as you should have found a routine that adds bounds checking to some of the routines in our legacy ECMAScript provider, Jscript.dll.

  • (Score: 1) by EEMac on Thursday December 20 2018, @03:34PM

    by EEMac (6423) on Thursday December 20 2018, @03:34PM (#776816)

    Back in the Visual Basic days, IE supported ActiveX. ActiveX let you do some very sophisticated stuff that HTML wasn't yet ready for. IE is bad news now - and ActiveX was always bad for security - but for a few years it let you do things other browsers couldn't.

  • (Score: 2) by All Your Lawn Are Belong To Us on Thursday December 20 2018, @03:59PM

    by All Your Lawn Are Belong To Us (6553) on Thursday December 20 2018, @03:59PM (#776820) Journal

    The day they released Edge upon the world.

    --
    This sig for rent.