Microsoft has urgently shipped a security patch for a remote code execution vulnerability affecting Internet Explorer (IE). The vulnerability, which was identified by a researcher at Google, has already been used by hackers to distribute malware.
Microsoft’s security team warned that the exploit – CVE-2018-8653 – would enable attackers to infect targets’ computers by directing them to a compromised web page. Once the malware has been downloaded, the hackers have the same access rights as the user.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft said. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
While the code has not been publicly disclosed, Microsoft said it corrupts the way IE’s scripting engine handles objects in memory. The company has issued an out-of-band patch and is urging IE users to install it as soon as possible.
It is feared that hackers could use mass mailouts to point unpatched users to infected sites. “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” Microsoft warned.
The vulnerability affects a number of versions of IE including, among others, IE 11 from Windows 7-10 and Windows Server 2012, 2016 and 2019.
Microsoft issued a statement on Thursday (19 December) thanking Google for alerting them to the issue: “Today, we released a security update for Internet Explorer after receiving a report from Google about a new vulnerability being used in targeted attacks.
“Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates.
“Microsoft would like to thank Google for their assistance.”