Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issues Emergency Fix For Internet Explorer Zero Day (bleepingcomputer.com)

Posted by BeauHD on from the quick-before-it's-too-late dept.

An anonymous reader quotes a report from Bleeping Computer: Microsoft has released an out-of-band security update that fixes an actively exploited vulnerability in Internet Explorer. This vulnerability has been assigned ID CVE-2018-8653 and was discovered by Google's Threat Analysis Group when they saw the vulnerability being used in targeted attacks. According to Microsoft's security bulletin this is vulnerability in how the Internet Explorer scripting engine handles objects in memory. Attackers can use this vulnerability to corrupt memory in such a way that attackers could execute code under the security privileges of the logged in user. This vulnerability can also be used to launch attacks through specially crafted web sites that utilize the exploit code. This means that attackers can utilize this feature in exploit kits or by compromising legitimate sites and adding code that exploits the vulnerability.

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," states Microsoft's advisory. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

23 of 39 comments (clear)

  1. Linux can't move this fast by Anonymous Coward · · Score: 2, Funny

    This is why I use Microsoft on all non-web mission-critical facilities. Guaranteed security. Linux can't match and never will thanks to Linus. Great for my hobbyist machines tho.

  2. No more JIT! by Gravis+Zero · · Score: 3, Interesting

    It's become obvious that JIT is a persistent threat that cannot reliably be tamed. If browser makes actually cared about security that would at least make it an option to disable JIT and use an interpreter in it's place. Sadly, it's the browser wars have become a race to see who can run the most garbage scripts as fast as possible and damn the consequences.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:No more JIT! by Seven+Spirals · · Score: 1

      Thanks. You validate that there is at least one other human who finds fault with the idea: "Hey, I know you don't know us but here are 30 complex scripts that we'd like you to run on your machine. Sure, we have a lot of good reason to screw you and track you, but just ignore that and run them anyway." It's surprising to me how many people flame away with some kind of convenience-based argument.

  3. Re: We could use this exploit for good by olsmeister · · Score: 3, Funny

    You may know it as Javascript.

  4. Explorer? by AndyKron · · Score: 1

    Microsoft still has internet explorer? Does anybody else?

  5. Internet Explorer? by DontBeAMoran · · Score: 1

    Why are Microsoft still releasing patches for Internet Explorer? Didn't it get replaced by Edge years ago?

    --
    #DeleteFacebook
    1. Re:Internet Explorer? by uffe_nordholm · · Score: 3, Insightful

      For most people, yes. But as I understand things, there is still quite a lot of IT-infrastructure internal to various companies that will not work on anything other than IE. Thus these companies have a choice: live with IE, or invest a lot of money on modernising the IT-infrastructure. Since the cost of modernising anything will be a hit to the managers' annual bonus, guess what they choose?



      In this instance, with the word "infrastructure" I don't necessarily mean the physically tangible things, but rather the intangible things like bespoke software or other similar things developed for one particular company's internal needs.

    2. Re: Internet Explorer? by UnknowingFool · · Score: 1

      As well as a lot of people who think "e" == Internet and will not use another browser. Some of them may not know another browser exists.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    3. Re: Internet Explorer? by ElizabethGreene · · Score: 2

      As well as a lot of people who think "e" == Internet and will not use another browser.

      Microsoft tried to help with this. They hide the ie icon, make Edge the default browser, and try to schlep you back into Edge if/when you launch IE.

      Enterprises are the primary users of IE now because of fear of breaking things, custom, or real application compatibility requirements.

      P.s. if you have real application compatibility requirements, take a look at Enterprise Mode. One of its features is you can use Edge and have it drop back to IE only for specific sites. Chrome has an add-in that does this too. It's called 'legacy browser support'.

      (Full disclosure: I work as a PFE for Microsoft. Yes, I realize that makes my opinion invalid.)

    4. Re:Internet Explorer? by CaptainDork · · Score: 1

      I'm running an XP box with a registry hack* that makes it think it's an ATM or other embedded OS. I still get security updates.

      The only goddam browser that will work on it is IE.

      Not that any web sites understands what the fuck it is ...

      *Windows XP registry hack keeps security updates rolling for the dead operating system

      --
      It little behooves the best of us to comment on the rest of us.
    5. Re:Internet Explorer? by E-Rock · · Score: 1

      We still have a couple legacy apps that are IE only. :(

      It's sad. We've been saying for years that this is a problem and it needs replaced, but it's still there. So it sucks that we can't remove it from our machines, and it's good they're still doing security updates.

    6. Re:Internet Explorer? by antdude · · Score: 1

      Windows, before 10, doesn't have Edge. :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  6. well by cascadingstylesheet · · Score: 1

    Couldn't they just email the fix to the remaining two non-corporate users?

    1. Re:well by CaptainDork · · Score: 1

      Try millions of users (April 4, 2018 ) both corporate and private. I use one for security camera duty.

      Windows XP has more market share than the top version of macOS.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:well by CaptainDork · · Score: 1

      You're not aware that I'm a retired IT guy. Should you decide to enter the field, you, too will know what the fuck you're talking about. I don't rely on a "they."

      Windows XP, to this day, receives security updates.

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:well by CaptainDork · · Score: 1

      I was hoping you would bite.

      Registry hack enables Windows XP security updates until 2019
      by Mark Tyson on 27 May 2014, 11:12

      Bazinga!

      --
      It little behooves the best of us to comment on the rest of us.
  7. Re:Slashdot behind the times... by CaptainDork · · Score: 1

    It doesn't do that any more, you insensitive clod.

    MS has implemented IE blockchain in a proprietary cryptocurrencyized algorithmic preanalyticalization of cloud-based JIT.

    --
    It little behooves the best of us to comment on the rest of us.
  8. Re:Words mean things. by ichthus · · Score: 2

    you are incorrect

    --
    sig: sauer
  9. Not a zero-day by phantomfive · · Score: 1

    Who knows what the author thinks a zero-day means, but it's wrong.

    A zero day means "The software company has known about it for zero days." There won't be many defenses against it, because it's been known about for zero days. In this case, Microsoft has known about it for a few days at least, and there is a patch available. So it is a 10 day exploit, or 15 day exploit.

    --
    "First they came for the slanderers and i said nothing."
    1. Re: Not a zero-day by Anonymous Coward · · Score: 1

      What are you going on about? It was discovered by Google being exploited in the wild before Microsoft knew about it. That's the basically the textbook definition of a zero day.

    2. Re: Not a zero-day by phantomfive · · Score: 1

      What are you going on about? It was discovered by Google

      Yes, it was a zero day. Once Microsoft knew about it, it became a day-1 exploit. (Whether it was being exploited in the wild or not is irrelevant).

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Not a zero-day by jkister · · Score: 1

      came here to say this. +1

  10. Re:who is using ie anyway? by Shikaku · · Score: 1

    Still need it to install another browser on Windows initially. Well not necessarily need, but a lot less annoying to do.