Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Internet Microsoft Privacy Security Software

Microsoft Issues Emergency Fix For Internet Explorer Zero Day (bleepingcomputer.com) 39

An anonymous reader quotes a report from Bleeping Computer: Microsoft has released an out-of-band security update that fixes an actively exploited vulnerability in Internet Explorer. This vulnerability has been assigned ID CVE-2018-8653 and was discovered by Google's Threat Analysis Group when they saw the vulnerability being used in targeted attacks. According to Microsoft's security bulletin this is vulnerability in how the Internet Explorer scripting engine handles objects in memory. Attackers can use this vulnerability to corrupt memory in such a way that attackers could execute code under the security privileges of the logged in user. This vulnerability can also be used to launch attacks through specially crafted web sites that utilize the exploit code. This means that attackers can utilize this feature in exploit kits or by compromising legitimate sites and adding code that exploits the vulnerability.

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," states Microsoft's advisory. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

This discussion has been archived. No new comments can be posted.

Microsoft Issues Emergency Fix For Internet Explorer Zero Day

Comments Filter:
  • by Anonymous Coward
    This is why I use Microsoft on all non-web mission-critical facilities. Guaranteed security. Linux can't match and never will thanks to Linus. Great for my hobbyist machines tho.
  • No more JIT! (Score:4, Interesting)

    by Gravis Zero ( 934156 ) on Friday December 21, 2018 @08:24AM (#57841254)

    It's become obvious that JIT is a persistent threat that cannot reliably be tamed. If browser makes actually cared about security that would at least make it an option to disable JIT and use an interpreter in it's place. Sadly, it's the browser wars have become a race to see who can run the most garbage scripts as fast as possible and damn the consequences.

    • Thanks. You validate that there is at least one other human who finds fault with the idea: "Hey, I know you don't know us but here are 30 complex scripts that we'd like you to run on your machine. Sure, we have a lot of good reason to screw you and track you, but just ignore that and run them anyway." It's surprising to me how many people flame away with some kind of convenience-based argument.
  • Microsoft still has internet explorer? Does anybody else?
  • Why are Microsoft still releasing patches for Internet Explorer? Didn't it get replaced by Edge years ago?

    • by uffe_nordholm ( 1187961 ) on Friday December 21, 2018 @10:49AM (#57841810)
      For most people, yes. But as I understand things, there is still quite a lot of IT-infrastructure internal to various companies that will not work on anything other than IE. Thus these companies have a choice: live with IE, or invest a lot of money on modernising the IT-infrastructure. Since the cost of modernising anything will be a hit to the managers' annual bonus, guess what they choose?



      In this instance, with the word "infrastructure" I don't necessarily mean the physically tangible things, but rather the intangible things like bespoke software or other similar things developed for one particular company's internal needs.
      • As well as a lot of people who think "e" == Internet and will not use another browser. Some of them may not know another browser exists.
        • As well as a lot of people who think "e" == Internet and will not use another browser.

          Microsoft tried to help with this. They hide the ie icon, make Edge the default browser, and try to schlep you back into Edge if/when you launch IE.

          Enterprises are the primary users of IE now because of fear of breaking things, custom, or real application compatibility requirements.

          P.s. if you have real application compatibility requirements, take a look at Enterprise Mode. One of its features is you can use Edge and hav

    • I'm running an XP box with a registry hack* [pcworld.com] that makes it think it's an ATM or other embedded OS. I still get security updates.

      The only goddam browser that will work on it is IE.

      Not that any web sites understands what the fuck it is ...

      *Windows XP registry hack keeps security updates rolling for the dead operating system

    • by E-Rock ( 84950 )

      We still have a couple legacy apps that are IE only. :(

      It's sad. We've been saying for years that this is a problem and it needs replaced, but it's still there. So it sucks that we can't remove it from our machines, and it's good they're still doing security updates.

    • by antdude ( 79039 )

      Windows, before 10, doesn't have Edge. :P

  • Couldn't they just email the fix to the remaining two non-corporate users?
    • Try millions [windowslatest.com] of users (April 4, 2018 ) both corporate and private. I use one for security camera duty.

      Windows XP has more market share than the top version of macOS.

  • Who knows what the author thinks a zero-day means, but it's wrong.

    A zero day means "The software company has known about it for zero days." There won't be many defenses against it, because it's been known about for zero days. In this case, Microsoft has known about it for a few days at least, and there is a patch available. So it is a 10 day exploit, or 15 day exploit.
    • by Anonymous Coward

      What are you going on about? It was discovered by Google being exploited in the wild before Microsoft knew about it. That's the basically the textbook definition of a zero day.

      • What are you going on about? It was discovered by Google

        Yes, it was a zero day. Once Microsoft knew about it, it became a day-1 exploit. (Whether it was being exploited in the wild or not is irrelevant).

    • came here to say this. +1

Time is the most valuable thing a man can spend. -- Theophrastus

Working...