Submitted via IRC for Bytram
Microsoft delivers emergency patch for under-attack IE
Microsoft rarely mentions Internet Explorer (IE) anymore, but when it does, it usually means bad news.
So it was Wednesday, when Microsoft issued a rare emergency security update to plug a critical vulnerability in the still-supported IE9, IE10 and IE11. The flaw was reported to Microsoft by Google security engineer Clement Lecigne.
According to Microsoft, attackers are already exploiting the vulnerability, making it a classic "zero-day" bug. Because of that, the company released a fix before the next round of security updates scheduled for Jan. 8.
The update was issued to Windows 7, 8.1 and 10 - the latter with patches for versions 1607 and later - as well as Windows Server 2008, 2012, 2016 and 2019. (Updates for some versions of Windows 10 - 1607 and 1703 - were available only to Windows 10 Enterprise and Windows 10 Education.)
"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," Microsoft stated in the CVE-2018-8653 support document. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."
The vulnerability could be exploited simply by drawing users running IE9, IE10 or IE11 to a malicious website, perhaps with a phishing email.
[...] The IE security fix will be automatically offered, downloaded and installed on most unmanaged Windows PCs.
(Score: 3, Informative) by ElizabethGreene on Thursday December 20 2018, @06:13PM (2 children)
Yes and no. The effected binary is Jscript.dll which is not the default javascript engine in IE 10 and 11. The default engine in those is Jscript9.dll. The old engine can be used by a modern browser under certain circumstances.
I assume those circumstances include explicitly asking for it and/or compatibility rendering scenarios, but I haven't been able to demonstrate that to my satisfaction yet.
(Score: 3, Funny) by ElizabethGreene on Friday December 21 2018, @12:24AM (1 child)
Apologies for failing to mention this earlier; I'm a Microsoft Platforms PFE supporting enterprise customers.
(Score: 0) by Anonymous Coward on Friday December 21 2018, @09:35AM
Thanks for the useful insider reply and sorry to hear of your predicament.