14 DAY TRIAL // A Google engineer has discovered a zero-day flaw in Internet Explorer that would allow an attacker to take full control of an unpatched system.
Detailed in CVE-2018-8653, the scripting engine memory corruption vulnerability affects Internet Explorer on all supported versions of Windows, from Windows 7 to Windows 10 (version 1809 included).
The bug was discovered and reported to Microsoft by Clement Lecigne of Google’s Threat Analysis Group. While it wasn’t publicly disclosed, the vulnerability is already being exploited, according to Microsoft.
In order to compromise a vulnerable system, an attacker needs to point users to a malicious website specifically created to exploit the flaw. As a result, users are recommended to stay away from untrusted web links until they patch their devices.
Microsoft Edge fully secure
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft explains.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft has already resolved the security flaw with the latest Windows 10 cumulative updates, and security patches have also been released for Windows 7 and Windows 8.1. They are available right now from Windows Update as KB4483187 for both systems.
Internet Explorer is no longer Microsoft’s number one browser, but it continues to receive security updates. Microsoft Edge is not affected by the vulnerability.