Microsoft is ending 2018 the same way it began the year: with an emergency patch to address a security vulnerability. This out-of-band security update fixes a remote code execution flaw in Internet Explorer’s scripting engine that attackers are currently exploiting to take over victim computers.
The issue is a complex one, as it exists in a widely-used component (jscript.dll), and can also be chained with other flaws to increase its attack scope. The fact that the vulnerability is already being targeted by attack groups immediately bumps the vulnerability up the priority list, but enterprises operating with smaller-than-usual IT teams at this time of the year because of the upcoming Christmas and New Year’s holidays will find it difficult to test and deploy the update quickly enough.
Victims with unpatched versions of Internet Explorer will be compromised just by visiting a malicious website containing code targeting this vulnerability (CVE-2018-8653), Microsoft said in its security advisory. Once the victim’s browser is compromised, the attacker would be able to run code with the same access privileges as the victim’s account.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft said. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Clement Lecigne, a member of Google’s Threat Analysis Group, reported the vulnerability to Microsoft. Both companies are staying silent on how attackers are currently exploiting this vulnerability.
Not Just in IE
The vulnerability impacts Internet Explorer 9 (Windows Server 2008), Internet Explorer 10 (Windows Server 2012), and Internet Explorer 11 (Windows 10, Windows Server 2019, Windows Server 2016, Windows Server 2008 R2, Windows Server 2012 R2, Windows 7 SP1, and Windows 8.1). The latest browser, Microsoft Edge, does not use the vulnerable component and is also not affected.
Server editions running IE in restricted mode should not be vulnerable to attacks exploiting this flaw.
That doesn’t mean that enterprises that use Edge exclusively and don’t use IE don’t have to worry about this vulnerability, since many applications embed the IE scripting engine to render Web-based content. Applications in the Office suite use the vulnerable component, which means attackers can also use booby-trapped files to compromise users.
Use With Other Bugs
The attackers gain the same level of privileges as the logged-in user, which means the amount of damage can potentially be contained. For example, if the user has limited access privileges, the attacker may be able to install malware, but not be able to create new user account with full privileges. However, if the user had local admin privileges, then the attacker has full control over the machine.
An attacker can also potentially chain this IE vulnerability with a privilege escalation flaw, of which there are many. Such an attack would involve using the IE flaw to compromise the browser, and then running exploit code to increase user privileges to get System-level access and fully hijack the machine.
Microsoft patched five escalation privilege flaws over the past four months—all of which were actively being exploited in the wild. At least three were being used by nation-state attackers. For enterprises where the administrators had not yet applied those updates (CVE-2018-8611, CVE-2018-8589, CVE-2018-8453, CVE-2018-8440 because they were still testing them, the attack surface just got significantly wider.
Bump Up Priority
Microsoft outlined some workarounds in the advisory to give administrators time to test and deploy the patch (which updates jscript.dll to version 5.8.9600.19230). for the IE flaw. One option is to remove privileges to the jscript.dll file for the Everyone group (actual commands are in the advisory). Since Internet Explorer 11, 10, and 9 use the Jscript9.dll by default, removing the privileges to jscript.dll would impact only sites that specifically rely on that file.
Enterprises typically have a lag time between when the updates are available and when they are applied because they need to first test the patches against their infrastructure and iron out any potential issues before deploying them throughout the organization. This is one of those times where that lag time means gives the attackers a window of opportunity to operate. The timing isn't ideal, with many enterprises planning on having a skeletal crew over the holidays. Testing and deployment is going to be even more challenging than usual.