Posted on 12/20/2018 7:03:22 PM PST by dayglored
Update Internet Explorer now after Google detects attacks in the wild
Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers.
The vulnerability, CVE-2018-8653, is a remote-code execution hole in the browser's scripting engine.
Visiting a malicious website abusing this bug with a vulnerable version of IE is enough to be potentially infected by spyware, ransomware or some other software nasty. Thus, check Microsoft Update and install any available patches as soon as you can.
Any injected code will run with the privileges of the logged-in user, which is why browsing the web using Internet Explorer as an administrator is like scratching an itch with a loaded gun.
According to Redmond:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
While exploit code for the bug has not been publicly disclosed, it is being leveraged in the wild to attack victims, according to Microsoft, hence why the patches are being flung out today out-of-band, rather than slipping them into January's Patch Tuesday.
Clement Lecigne of Google’s Threat Analysis Group is credited for uncovered the flaw. We've pinged Google for more details on how miscreants are abusing the programming blunder.
A spokesperson for Microsoft's security team said: "Today, we released a security update for Internet Explorer after receiving a report from Google about a new vulnerability being used in targeted attacks.
"Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates. Microsoft would like to thank Google for their assistance."
Internet Explorer 9 to 11 on Windows 7 to 10, Server 2008 to 2019, and RT 8.1 are affected, though the server editions run IE in a restricted mode that should thwart attacks via this vulnerability.
One workaround, if you want to hold off on installing patches immediately, is to disable access to JScript.dll using the commands listed by Microsoft in its above-linked advisory. That will force IE to use Jscript9.dll, which is not affected by the flaw. Any websites that rely on Jscript.dll will break, though.
A possible alternative is to not use Internet Explorer, of course. ®
How many people still use IE?
BTW, the original headline spelled out “Microsoft”, but “MS” let it fit into the thread title limit...
Is this what caused a hands-off update/re-start on my Surface Pro a couple of hours ago??
Lots.
Actually, quite a few. The new "Edge" browser isn't winning many fans, and a lot of folks have used IE for ages and it's deep in their comfort zone.
That would not surprise me.
Anyone with any smarts does not use Internet Explorer. If you don’t use it then there is no worry.
M$ would fit too.
On the second day of Christmas Microsoft gave to me:
2 blue screens of death and
an emergency out of band security patch for IE.
A LOT of corporate stuff still REQUIRES it.
I get whatever “Package HDW/SW” comes on the Machine is what I’m stuck with. If the rest of the world would hang back with Me in the Land-O-DOS6.0 or DOS6.2 OS and DotMatrix LPT the world would be in better shape.
< SIGH > Alas I conform as needed minimally. < /SIGH >
So I’m stuck with: 1 Box WIN7, 1 LT WIN8, 1 Box Vista, 2 Android Phones, 2 iPhones, 1 Android Tablet, 1 HP2430 Inkjet Printer/Scanner/Fax/Ink Funnel that must be Printing on Every piece of Paper on Earth EXCEPT MY PAPERS and one Old Hand Cranked Pencil Sharper with a dead 9 volt battery taped to it for effects.
Which is why you should never be operating your computer under an Administrator Account. You should create a Standard User account to operate under and only use the Administrator account when needed to install software.
“How many people still use IE?”
~7-15% IE & Edge combined
Are you actually insinuating there are still people around using IE?
News for all of them - you don’t need a patch, you need an intervention.
"...you should never be operating your computer under an Administrator Account. You should create a Standard User account to operate under and only use the Administrator account when needed to install software."
IE has been the de facto standard for a while - companies that use Windows platforms, like the government, won’t let users install other programs and focus their business around the built-in platforms....
Avoid, of course.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.