Sophos Cloud Optix
Microsoft has found itself fixing a lot of zero-day flaws recently, including CVE-2018-8611, (patched this month), and November’s CVE-2018-8589 and CVE-2018-8589.
Now it has released an emergency patch for a remote code execution (RCE) zero-day vulnerability in Internet Explorer’s Jscript scripting engine affecting all versions of Windows, including Windows 10.
Identified as CVE-2018-8653, the flaw was reported by Google’s Threat Analysis Group researcher, Clement Lecigne, and according to Microsoft is being exploited in targeted attacks.
The company hasn’t elaborated on which attacks but the fact it’s being exploited at all explains why applying Microsoft’s patch should be a high priority.
According to Microsoft:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
Exploitation depends on the privilege level of the targeted user, and Microsoft’s latest advice says admins might consider limiting access to Jscript.dll if they don’t plan to implement the patch soon.
On server systems (Server 2008, Server 2012, Server 2016, Server 2019), the severity rating is lowered from ‘critical’ to ‘moderate’ thanks to a restriction called Enhanced Security Configuration.
Windows 10 too
Scroll down on Microsoft’s advisory and you’ll notice that the patch is also being offered as an update to IE 11 for Windows 10.
But, hold on, didn’t Windows 10 replace IE with the Edge browser which uses a different scripting engine, Chakra?
Indeed it did, but for backwards compatibility reasons, IE components remain a default part of all Windows versions (with the possible exception of Windows 10 Pro Long Term Service Branch (LTSB), a customisable Windows version used by larger organisations).
So even if you don’t use IE 11 – or any Microsoft browser – bits of it are lurking on every Windows system, presumably in case any older Microsoft applications or websites need to use them.
Windows 10’s new start begone! This has always been Microsoft’s OS philosophy – steer clear of hard forks and make backwards compatibility a high priority.
What to do
Apply the patch. For Windows 10 users running Windows 10 64-bit 1803 (April 2018), the update is KB4483234.
Users who’ve managed to upgrade to the much-delayed Windows 10 64-bit 1809 (October 2018), should look for KB4483235.
For anyone still on Windows 10 64-bit 1709 (October 2017), it’s KB4483232.
As for older versions, Windows 8.1 for x64-based systems and Windows 7 for x64-based Systems Service Pack 1, it’s KB4483187.
30% off Sophos Home Premium
Sophos wants your holiday to be stress free. That means no stolen credentials, ransomware, hacking, spying, or malware. That’s why they’re offering 30% off Sophos Home Premium, which protects up to 10 of your family’s Macs or PCs.
And hopefully you can enjoy that pie without rushing off to save Uncle Barry from the ransomware he’s just installed with that e-card.
“Ask Woody” is reporting that some users are reporting crashes on Windows 7 after applying KB4483187. [URL removed]
so… does intercept x protect against this?
Do UTM, XG and Sophos Central Endpoint block these threats and exploits?
The Sophos detection names to look out for are Mal/188653-A and Exp/188653-A.
MSHTML has been documented, as a part of the Windows Software Development Kit, for over 20 years. Any app on the system may have Internet Explorer embedded in it as a result. It’s specifically the cornerstone of the Windows XP and Vista help file formats.
The usual argument for using it in an app is that you need some portion of the web browser capability, for example to log in to a Google account. If you use your own Blink, Gecko or w/e, it’s only going to get updates when you patch it through whatever mechanism you have to patch with.
If you use MSHTML, you get Internet Exploder with all its terribleness – but at least you know Microsoft patched it last night and fixed that bug in every single app that references it, and not just in their own apps. By virtue of fixing that system library, every user of it receives the fix.
Also, you might want to check – but should be any app that uses ActiveScripting was vulnerable to this, and so that extends well past just users of MSHTML. For example, most management tools will let you use JScript or VBScript and execute that on clients. Problem would be a lot more widespread than just Exploder based on my understanding.
I have a laptop running win 8.1 After reading this article, I went to windows update (which I have set to advise but not download) to see if it was listed which it was. I then clicked on “more information” and was taken to the following:
Summary
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. To learn more about the vulnerability, go to CVE-2018-8653.
Important
If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
KNOWN ISSUES in this security update
After you install this security update on a computer that is running Windows Server 2012 R2 or Windows 8.1, the About Internet Explorer 11 dialog box will show KB4470199 (the December 11, 2018 security update for Internet Explorer) instead of KB4483187. Users can confirm they are protected by verifying that the version of jscript.dll is 5.8.9600.19230.
Give me a break they are expecting the regular Windows user to be checking to see if a jscript.dll is correct??
KB4483234 keeps kicking me off the internet. To get back on, I have to reset my adapter ( “default gateway is not available”).every 30 seconds or so. I uninstalled the Windows update. That fixed the problem. But it keeps re-installing itself. I’m using Win 10. I am on Chrome browser,. but the problem happens no matter if the browser is active or not.
Why didn’t my comment post?
Comments are moderated by hand, and there were no hands on deck on the 26th.