Microsoft issued an emergency security update on Wednesday to patch a critical zero-day vulnerability in Internet Explorer (IE) Web browser IE9, IE10 and IE11. It also impacts IE 9 on Windows Server 2008, IE 10 on Windows Server 2012, IE 11 from Windows 7 to Windows 10, and IE 11 on Windows Server 2019, Windows Server 2016, Windows Server 2008 R2, Windows Server 2012 R2. The flaw, reported to Microsoft by Google’s Threat Analysis Group, was discovered by security engineer Clement Lecigne. Attackers are already exploiting the vulnerability, tracked as CVE-2018-8653, to hack into Windows computers.
According to the security update, an unspecified memory corruption vulnerability resides in the scripting engine JScript component of IE that handles execution of scripting languages. The flaw acts as a remote code execution (RCE) which allows attackers to execute arbitrary code in the context of the current user, potentially allowing the attackers to install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft has yet to publicly disclose any technical details about the IE zero-day vulnerability. Because the flaw is already being exploited, users are strongly encouraged to install the latest updates provided by Microsoft as soon as possible. “Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically,” the company wrote, advising customers to enable automatic updates.
Want to make sure you’re secure? Contact Petronella Tech today for a consultation.