Update now! Microsoft patches another zero-day flaw
Microsoft has found itself fixing a lot of zero-day flaws recently, including CVE-2018-8611, (patched this month), and November’s CVE-2018-8589 and CVE-2018-8589.
Now it has released an emergency patch for a remote code execution (RCE) zero-day vulnerability in Internet Explorer’s Jscript scripting engine affecting all versions of Windows, including Windows 10.
Identified as CVE-2018-8653, the flaw was reported by Google’s Threat Analysis Group researcher, Clement Lecigne, and according to Microsoft is being exploited in targeted attacks.
The company hasn’t elaborated on which attacks but the fact it’s being exploited at all explains why applying Microsoft’s patch should be a high priority.
According to Microsoft:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
Exploitation depends on the privilege level of the targeted user, and Microsoft’s latest advice says admins might consider limiting access to Jscript.dll if they don’t plan to implement the patch soon.
On server systems (Server 2008, Server 2012, Server 2016, Server 2019), the severity rating is lowered from ‘critical’ to ‘moderate’ thanks to a restriction called Enhanced Security Configuration.
Windows 10 too
Scroll down on Microsoft’s advisory and you’ll notice that the patch is also being offered as an update to IE 11 for Windows 10.
But, hold on, didn’t Windows 10 replace IE with the Edge browser which uses a different scripting engine, Chakra?
Indeed it did, but for backwards compatibility reasons, IE components remain a default part of all Windows versions (with the possible exception of Windows 10 Pro Long Term Service Branch (LTSB), a customisable Windows version used by larger organisations).
So even if you don’t use IE 11 – or any Microsoft browser – bits of it are lurking on every Windows system, presumably in case any older Microsoft applications or websites need to use them.
Windows 10’s new start begone! This has always been Microsoft’s OS philosophy – steer clear of hard forks and make backwards compatibility a high priority.
What to do
Apply the patch. For Windows 10 users running Windows 10 64-bit 1803 (April 2018), the update is KB4483234.
Users who’ve managed to upgrade to the much-delayed Windows 10 64-bit 1809 (October 2018), should look for KB4483235.
For anyone still on Windows 10 64-bit 1709 (October 2017), it’s KB4483232.
As for older versions, Windows 8.1 for x64-based systems and Windows 7 for x64-based Systems Service Pack 1, it’s KB4483187.
30% off Sophos Home Premium
Sophos wants your holiday to be stress free. That means no stolen credentials, ransomware, hacking, spying, or malware. That’s why they’re offering 30% off Sophos Home Premium, which protects up to 10 of your family’s Macs or PCs.
And hopefully you can enjoy that pie without rushing off to save Uncle Barry from the ransomware he’s just installed with that e-card.