Microsoft Issues Emergency Update for Internet Explorer
Officially, Internet Explorer is dead. Microsoft has discontinued the browser as of IE11 and replaced it with Edge. IE is, however, still maintained alongside the operating systems that it ran on, which means it’ll keep getting security updates throughout the lifetime of Windows 7 and 8. Microsoft has just issued an emergency security update for the browser to fix a flaw it says is already under active exploitation, though details on exactly how it’s being exploited have not been provided.
The company has published CVE-2018-8653, describing an attack in which a remote code execution vulnerability is present in the IE scripting engine and how it handles objects in memory. By successfully executing the attack, an attacker would gain the same privileges as the currently logged-in user, including the ability to add and remove programs, view or change data, or create new user accounts with full administrator rights themselves. The update plugs the hole by changing how the scripting engine handles objects in memory.
Microsoft is particularly warning against potential web-based vulnerabilities, however, writing:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
Microsoft learned about the exploit from Google engineer Clement Lecigne, according to ComputerWorld. The bug is a classic zero-day, meaning it’s already in the wild and being exploited — that’s why Microsoft is pushing a patch out now, instead of waiting for the usual update cycle on January 8.
The vulnerability affects the version of IE11 that shipped with Windows 7 to Windows 10, along with Windows Server 2012, 2016, and 2019. IE9 (Windows Server 2008) and IE10 (Windows Server 2012) are also impacted. Presumably, any older IE installations on Windows 7 are also impacted, but IE11 is the only version still supported. Users with Windows Update should have already received a security patch, but Windows 10 users can manually check for updates here. Other users can manually check here.
For anyone still using IE11 for any reason, users are generally advised to stop doing that, either by moving to Edge, Chrome, or Firefox. Unfortunately, even in 2018, there are still a handful of sites that only play well in IE. This is an indirect example of why allowing any single browser to so dominate the market is a bad idea (in relation to Chrome) — we’re literally still dealing with the fact that IE once held something like 95 percent of the browser market, even though that hasn’t been true for nearly 15 years.