Reported: Clement Lecigne of Google’s Threat Analysis Group
Category: Microsoft/IE/RCE
Date: 19/12/2018
Overview:
Microsoft has released an emergency security update to patch an Internet Explorer (IE) critical zero-day vulnerability.
Discovered by researcher Clement Lecigne of Google’s Threat Analysis Group. The vulnerability tracked as vulnerability tracked as CVE-2018–8653 is a remote code execution (RCE) flaw in the IE browser’s scripting engine.
Patches
The patch for this vulnerability is available on the Microsoft Website.
The vulnerability comes after the following zero days (that can be chained together previous zero-days (CVE-2018–8611, CVE-2018–8589, CVE-2018–8453, CVE-2018–8440). You can manually download these updates via the Microsoft Catalog website.
Mitigation
Patching is always the best method to fix the vulnerability.
Users who can’t immediately patch, not recommended, can mitigate the threat by restricting access to the jscript.dll file by running following command in the command prompt using admin privileges.
For 32-bit System — cacls %windir%\system32\jscript.dll /E /P everyone:NFor 64-bit System — cacls %windir%\syswow64\jscript.dll /E /P everyone:N
The above command will force the web browser to use Jscript9.dll and but any website that relies on Jscript.dll will fail to render. The above is just temporary mitigation and the patching of the application remains best practice.
Vulnerability Details
The vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.
An unspecified memory corruption vulnerability, as per the advisory, resides in the scripting engine JScript component of Microsoft Internet Explorer. This engine is deemed to handle execution of scripting languages.
If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user. The vulnerability is even more dangerous if an attacker can chain previous zero days vulnerabilities (as consequences of unpatched IE).
Microsoft has realised patches for four other zero-days. Exploiting all these zero-days will result in “elevation of privilege.”
This means that if a victim has missed any of the previous four Windows Patch Tuesday patches, an attacker can chain the IE zero-day with one of the earlier zero-days (CVE-2018–8611, CVE-2018–8589, CVE-2018–8453, CVE-2018–8440) to gain SYSTEM-level access, and immediately take over a targeted computer.
You can manually download these updates via the Microsoft Catalog website.
Even worse if the user is logged on with administrative privileges, in fact, the attacker can piggyback on the user rights, by exploiting the vulnerability, escalate privileges and could potentially take control of an affected system. As a consequence of this the attacker can deploy payloads with more malware, install shell, view, change, or delete data; ultimately for persistence, the attacker can create new accounts with full administrative privileges (as per the advisory).
Besides the above exploit, an attacker can also target victims by convincing them into viewing a specially crafted HTML document (e.g., a web page or an email attachment), MS Office document, PDF file or any other document that supports embedded IE scripting engine content.
Despite the fact that the exploit available in the wild Neither Google nor Microsoft has yet publicly disclosed any technical details about the IE zero-day vulnerability.
More on Medium:
Comments