Security Alert: Internet Explorer scripting engine vulnerability

A remote code execution vulnerability has been identified in Microsoft Internet Explorer (IE) scripting engine in the way that the scripting engine handles objects in memory. The vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

How does this affect your organisation?

According to Microsoft, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge browser is not impacted by this zero-day vulnerability.

For more information about this vulnerability please refer to the links at the end of this alert.

Threat rating and recommendation

Based on information available at the time of this notice, we have classified this threat as Action Required.

Microsoft issued out-of-cycle urgent security patch for this vulnerability as well as KB4483187, KB4483230, KB4483234, KB 4483235, KB4483232, KB4483228, KB4483229, and KB4483187. Users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates (please refer to the ‘More Information’ section of this advisory). Customers are recommended to review their environment and apply the appropriate patches as soon as possible.

Key:

Advice - no urgent remediation action required

Warning - watch and act

Action required - urgent remediation action required

More information

More information about this security vulnerability is available at the links below.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8653

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653#ID0EMGAC

https://www.zdnet.com/article/microsoft-releases-security-update-for-new-ie-zero-day/

https://krebsonsecurity.com/2018/12/microsoft-issues-emergency-fix-for-ie-zero-day/

https://support.microsoft.com/en-us/help/4027667/windows-10-update