Microsoft Issues Emergency Fix For Internet Explorer Zero Day

An anonymous reader quotes a report from Bleeping Computer: Microsoft has released an out-of-band security update that fixes an actively exploited vulnerability in Internet Explorer. This vulnerability has been assigned ID CVE-2018-8653 and was discovered by Google's Threat Analysis Group when they saw the vulnerability being used in targeted attacks. According to Microsoft's security bulletin this is vulnerability in how the Internet Explorer scripting engine handles objects in memory. Attackers can use this vulnerability to corrupt memory in such a way that attackers could execute code under the security privileges of the logged in user. This vulnerability can also be used to launch attacks through specially crafted web sites that utilize the exploit code. This means that attackers can utilize this feature in exploit kits or by compromising legitimate sites and adding code that exploits the vulnerability.

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," states Microsoft's advisory. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Linux can't move this fast

This is why I use Microsoft on all non-web mission-critical facilities. Guaranteed security. Linux can't match and never will thanks to Linus. Great for my hobbyist machines tho.

Re: Linux can't move this fast

LOL. Except that it does move that fast. You are just an idiot and dont understand public vs commercial software

Re: Linux can't move this fast

+1

Re: Linux can't move this fast

And yet you didn't convince anyone - like all Linux converts you are self righteous, convinced of your superiority and over confident of victory. Yet somehow no one wants to use Linux except in highly monitored server environments surrounded by cloistered priests.

No more JIT!

[Gravis+Zero]

It's become obvious that JIT is a persistent threat that cannot reliably be tamed. If browser makes actually cared about security that would at least make it an option to disable JIT and use an interpreter in it's place. Sadly, it's the browser wars have become a race to see who can run the most garbage scripts as fast as possible and damn the consequences.

Re:No more JIT!

Sorry - corruptions do not just occur. As there is now a fix, it appears to be a coding error,
broken pointer, one off, bad stack handling etc.
Now MS makes a pretty collective penny on its OS, so there SHOULD be code auditors on the ball inspecting critical code - and script engines are the daddy of them all. I have a little tear in my eye, now that Bulgarian ATM hackers have lost another script exploit. ATM owners must be getting sick of pepetual upgrades,

Re:No more JIT!

[Seven+Spirals]

Thanks. You validate that there is at least one other human who finds fault with the idea: "Hey, I know you don't know us but here are 30 complex scripts that we'd like you to run on your machine. Sure, we have a lot of good reason to screw you and track you, but just ignore that and run them anyway." It's surprising to me how many people flame away with some kind of convenience-based argument.

Re:No more JIT!

This is why a script blocking plugin like NoScript is absolutely indispensable for modern web browsing.

We could use this exploit for good

And use remote code execution to set Firefox as default browser.

Re: We could use this exploit for good

What is remote code execution?

Re: We could use this exploit for good

[olsmeister]

You may know it as Javascript.

Slashdot behind the times...

...this news came out two days ago.

And slashdot will probably have a dupe in 3 days time.

Slashdot used to be a good source for tech news.

Sigh.

Re:Slashdot behind the times...

I'm surprised the summary didn't note that IE is also contributing to Global Warming.

Re:Slashdot behind the times...

[ArchieBunker]

Or dropping Trump's name somehow.

Re:Slashdot behind the times...

[CaptainDork]

It doesn't do that any more, you insensitive clod.

MS has implemented IE blockchain in a proprietary cryptocurrencyized algorithmic preanalyticalization of cloud-based JIT.

who is using ie anyway?

i tought this was abandonware :)

Re:who is using ie anyway?

Anybody who wants a working browser on Windows. That's ie's (and edge's) only purpose now.

Re:who is using ie anyway?

[Shikaku]

Still need it to install another browser on Windows initially. Well not necessarily need, but a lot less annoying to do.

Explorer?

[AndyKron]

Microsoft still has internet explorer? Does anybody else?

Words mean things.

If it is not an exploit discovered on the first day of release, it is not a zero day.

Re:Words mean things.

[ichthus]

you are incorrect

Internet Explorer?

[DontBeAMoran]

Why are Microsoft still releasing patches for Internet Explorer? Didn't it get replaced by Edge years ago?

Re:Internet Explorer?

[uffe_nordholm]

For most people, yes. But as I understand things, there is still quite a lot of IT-infrastructure internal to various companies that will not work on anything other than IE. Thus these companies have a choice: live with IE, or invest a lot of money on modernising the IT-infrastructure. Since the cost of modernising anything will be a hit to the managers' annual bonus, guess what they choose?



In this instance, with the word "infrastructure" I don't necessarily mean the physically tangible things, but rather the intangible things like bespoke software or other similar things developed for one particular company's internal needs.

Re: Internet Explorer?

[UnknowingFool]

As well as a lot of people who think "e" == Internet and will not use another browser. Some of them may not know another browser exists.

Re: Internet Explorer?

[ElizabethGreene]

As well as a lot of people who think "e" == Internet and will not use another browser.

Microsoft tried to help with this. They hide the ie icon, make Edge the default browser, and try to schlep you back into Edge if/when you launch IE.

Enterprises are the primary users of IE now because of fear of breaking things, custom, or real application compatibility requirements.

P.s. if you have real application compatibility requirements, take a look at Enterprise Mode. One of its features is you can use Edge and have it drop back to IE only for specific sites. Chrome has an add-in that does this too. It's called 'legacy browser support'.

(Full disclosure: I work as a PFE for Microsoft. Yes, I realize that makes my opinion invalid.)

Re:Internet Explorer?

[CaptainDork]

I'm running an XP box with a registry hack* that makes it think it's an ATM or other embedded OS. I still get security updates.

The only goddam browser that will work on it is IE.

Not that any web sites understands what the fuck it is ...

*Windows XP registry hack keeps security updates rolling for the dead operating system

Re:Internet Explorer?

[E-Rock]

We still have a couple legacy apps that are IE only. :(

It's sad. We've been saying for years that this is a problem and it needs replaced, but it's still there. So it sucks that we can't remove it from our machines, and it's good they're still doing security updates.

Re:Internet Explorer?

[antdude]

Windows, before 10, doesn't have Edge. :P

well

[cascadingstylesheet]

Couldn't they just email the fix to the remaining two non-corporate users?

Re:well

[CaptainDork]

Try millions of users (April 4, 2018 ) both corporate and private. I use one for security camera duty.

Windows XP has more market share than the top version of macOS.

Re:well

Get better security cameras. If the camera manufacturer thought it was a good idea to require IE, what other misfeatures (read: gaping security holes) did they think was a good idea?

Re:well

[CaptainDork]

You're not aware that I'm a retired IT guy. Should you decide to enter the field, you, too will know what the fuck you're talking about. I don't rely on a "they."

Windows XP, to this day, receives security updates.

Re:well

No, it doesn't, and you asserting that as if true or accurate (one patch or a few doesn't mean it's receiving all due security updates, moron) draws strong doubts into your abilities to handle a real IT situation, while promoting XP in 2018.

Re:well

[CaptainDork]

I was hoping you would bite.

Registry hack enables Windows XP security updates until 2019
by Mark Tyson on 27 May 2014, 11:12

Bazinga!

Not a zero-day

[phantomfive]

Who knows what the author thinks a zero-day means, but it's wrong.

A zero day means "The software company has known about it for zero days." There won't be many defenses against it, because it's been known about for zero days. In this case, Microsoft has known about it for a few days at least, and there is a patch available. So it is a 10 day exploit, or 15 day exploit.

Re: Not a zero-day

What are you going on about? It was discovered by Google being exploited in the wild before Microsoft knew about it. That's the basically the textbook definition of a zero day.

Re: Not a zero-day

[phantomfive]

What are you going on about? It was discovered by Google

Yes, it was a zero day. Once Microsoft knew about it, it became a day-1 exploit. (Whether it was being exploited in the wild or not is irrelevant).

Re:Not a zero-day

[jkister]

came here to say this. +1

Kinda...

I kinda wish they left it unpatched. Let it die already.