Microsoft has issued an out-of-band security update on Wednesday, December 19, in an attempt to stop attackers from exploiting a critical vulnerability within Internet Explorer (IE). Despite being replaced by Microsoft Edge on Windows 10, IE is still utilised on previous operating systems as the default browser and comprises the scripting engine to render web-based content on applications such as Office.
Clement Lecigne of Google's Threat Analysis Group was credited for the discovery of the IE zero-day, which has been dubbed CVE-2018-8653 by Microsoft’s security team. This is a remote code vulnerability, which saw attackers lure victims onto a malicious site that allowed them to install code that corrupts memory and grants the same user privileges as the victim.
In a worst case scenario, the zero-day would see the attacker gain administrative user rights following a successful attack, presenting the opportunity to “view, change, or delete data; or create new accounts with full user rights.” While this is believed to have affected all versions of Windows sporting IE 9 and IE 11, Windows Update has automatically pushed the fix in its latest round of security updates.
Now would be a good time to do some manual updates if Windows Update has been prevented on your system.
KitGuru Says: Given that Microsoft didn’t share the details of the attack, it’s unknown exactly how the attacker would lure a victim onto a specific malicious site. Perhaps even more confusing is why people are still opting for IE when there are much better alternatives, but who am I to judge? When was the last time you used IE?