Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.
The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.
Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.
“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.
According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.
Internet users need to stop using Internet Explorer !
This would be considered a “C” update because Microsoft can never seem to get it’s act together and release everything critical on “B” ( Patch Tuesday )
I’m just going to wait to do this on next months Patch Tuesday since I never, ever use I.E. to begin with.
Malware is getting pretty tricky now-a-days. How do you know the malware won’t start IE without your input and take over the operating system that way? You wouldn’t believe what I see in my honey pot lab!
Do you mean already installed malware could use it for privilege escalation? Because I can’t think of a way a malicious script could do that when I’m browsing with chrome/firefox… But if so, how would that be possible?
Sorry it sounds like a noob question but I’m just a little confused by your answer…
Let’s say you click on an add and get a drive by attack. You may not notice anything but a blink in the browser you are using. Malware can do quite a lot from the temporary files loaded by what ever browser you are using – they can even pop the UAC if you are lucky. I would not put it past their capability in opening IE to gain access to the vulnerability. I’ve seen malware behavior that matches pretty much whatever rights the user has on the machine. If you are logged in as a standard account user, you can deflect most malware by simply closed all browsers and running CCleaner to flush the temp files – but if you have a vulnerability, things would happen too fast to mitigate the attack.
If another browser is the default handler for content, then this vulnerability does not pose the same level of risk, regardless of whether or not IE is tightly bound into the operating system. In order to be exploited, hostile content must be handled by IE. A drive-by attack where the user is on Chrome or Firefox would fail.
That said, there are lots of content types; it may well be that IE would remain as a default handler for a content type, under which such an attack would be feasible. But reading the actual description from Microsoft, who say that the vulnerability manifests in the scripting engine, other content types aside from what gets switched when you set a browser as your default would not come into play here. Using another browser as your default application is almost certainly a solid defense against this (aside from patching the thing, that is).
The w10 handling of file extensions is sufficiently beyond my memory of previous versions, but there are really too many file extension types for me to be willing to try them all.
There are probably quite a few file types that are scriptable, SVG, HTML, XML, HTA, plus, sometimes browsers (especially for local files) may choose to sniff instead of trusting file extensions.
I’m not willing to bet that there isn’t a path through which IE could be launched.
And, if it’s the scripting host, do we know that the various help engines aren’t vulnerable?
Really, unless your system is going to be broken by upgrading for this fix, I hope everyone upgrades asap.
See my answer to Art below, for another example of what I’m referring to.
Internet Exploiter is deeply entrenched in the OS. A window doesn’t have to be open for it to be accessed.
I used to convince the non believers by typing a URL into the Windows Explorer (File Manager) bar, hit return, and the Windows Explorer window morphed into IE right before their eyes.
Thanks Clay_T – undoubtedly so! I’ve seen malware delete icons to apps that mitigate security concerns; delete program entries in the “All Programs” list; in fact pretty much do anything with the same permissions of the user. Of course these are scripts or batch files, but the malware do some system analysis before executing subversive actions. These only take seconds of course.
The malware coders are not afraid to pop the UAC, because many users are clueless about why something has asked for administrative rights, so once they fall for that ruse, they don’t even have to rely on a vulnerability to pwn the system. I notice they either wait until the user opens another app, or they pop notes that use various social engineering messages to trick the user into supplying the password.
I would think that intrusion protection on a good firewall would protect you from that scenario , if somehow malware slip by with I.E. not being open
You could just disable I.E. in Windows services and or group policy ? Run I.E. in a sandbox environment?
Removing IE is pretty simple, relatively speaking. Disabling Microsoft Edge is a trickier thing but it can be done.
Bees? Is it bees? That you see in your honey pot lab?
Well, I’m using linux so I don’t have that IE poison anywhere on my machine. That’s how I know.
What, exactly, is it that you see in your “honeypot lab”? Please tell me. I promise that I’ll believe you.
Why can’t they give the KB article related to this? We use SCCM and it doesn’t give a crap about CVE item. I have to spend too much time trying to cross reference a KB article with some CVE reference.
If you want the KB numbers associated with a CVE, Google is your friend.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653
There are about 8 KBs associated with CVE-2018-8653
When you download this patch from Microsoft it is actually rated “Important” rather than “Critical”.
At 18:35 UTC I was offered KB4483235 with no overt action on my part. This brought me to Microsoft Windows [Version 10.0.17763.195]. I was at 194 before the update. FYI
@chesscanoe
Thanks, Good info.
My Win10 did *not* update automatically nor after manually updating. That is, until remembering to change the deferred number of days for updates back to “0”, because you know we can’t trust those updates to be right in the first place.
Caution regarding manually checking for updates on Windows 10, Microsoft announced this week checking for updates may likely trigger a full upgrade to version 1809.
I second that. It also makes you an unintentional beta tester of Windows 10 updates that haven’t been fully vetted yet. See:
https://www.digitaltrends.com/computing/windows10-check-for-updates/
https://www.pcworld.com/article/3326833/windows/careful-windows-10s-check-for-updates-button-may-download-beta-code.html
Curious to know if this vulnerability could be triggered by having a user using a non-IE browser visit a compromised web site such that a compromised web page could trigger a user’s IE browser even though not originally surfing to the web site with IE. In other words, can the exploit be targeted even if the user doesn’t visit a page with IE but still has IE installed.
Good question; I would never underestimate the capabilities of the new malware now. They can do pretty much what ever level the user rights have – once they trigger the vulnerability they own your operating system of course. I’ve seen some unbelievable trickery and subterfuge sourced from malware activity. The smart ones try to stay out of the way and gather data on the user with as little evidence of malicious operation as possible.
I saw a really “good” one wait until the user attempted to open an application and trigger the UAC to gain admin rights that way. A clueless user might assume an update is causing the UAC prompt. This crime-ware corrupted many of the anti-malware components and the machine had to be wiped, and re-installation of the operating system from backup was required.
Though IE is NOT my default browser, and I almost never have a need for it, it HAS been opened automatically by some links/clicks in the past.
Even if you don’t use a program, if it is installed, it should have all of its security updates, IMO. If you don’t use it uninstall it. If you can’t uninstall it (like IE) then keep it up-to-date. That’s my practice, anyway.
And while, in theory having Windows Update configured to update automatically, it is always wise to check it from time-to-time. My desktop was on all day and not being used. When I checked Windows Update, it said I was up-to-date. But I checked for updates, anyway, and there it was.
And of course, sometimes (often) Window Update is effectively disabled, if a previous update installation is stuck. Microsoft’s advice should be: Check and attempt to manually update NOW.
OK – let’s be of VALUE? What is the specific KB number?
Too often, we have to be very careful about WHICJ KB number we install. Listing the SPECIFIC KB would be of great help.
@ Dean Marino:
If you read Brian Krebs article carefully, there is a clickable link (in orange on my machine) with words “sparse advisory”. If you click on it you will see all the KB info you could ask for.
If you click to look for updates, you’ll be getting the entire 1809 update bundle. You’re welcome. Anyone think it’s a false-flag plot to get 1809 in-the-wild?
Your paranoid raving turns out to be untrue. I just installed the update via the “Check For Updates” button and I’m still running 1803.
There are multiple KBs; the specific KB which applies to your specific situation depends on the particular OS version and IE version you’re running.
If you had taken the “sparse advisory” link that Brian so helpfully provided in the article, you would have found (after agreeing to the site’s TOS) a chart listing all the possibilities and showing the “SPECIFIC KB” for each one.
Lots of good comments and speculation in several of the comments today. This article will no doubt make some say “I was right all along!”
https://www.kb.cert.org/vuls/id/573168/
I was right all along!
All the, justified imo, paranoid talk about the malware builders had me rereading the cert. Then it hit me. How did the guy from google see an exploit that is only java script running in a browser in the wild? I thought i was computer savy, got the degree, but after Snowdon i realised how far behind the curve i was. So now im trying not to be “paranoid” but i just have to wonder what the internet looks like to google, microsoft, government. I don’t see other peopleb i knoe they are around but it sounds like this google guy was right in the browser. How much can they see? Does it stop when i stop browsing?
I’m not sure who is breaking the internet faster. The criminals with malware or the supposed good guys protecting us? Self pepetuating. Never make it right so you just get to keep making it and taking more each time.
All these experts visiting and commenting on a security forum/blog hosted on one of the most un-secure platforms out there!
Easily mitigated by keeping your every day logon out of the Administrator’s group. Basically the same reason you don’t logon to a Linux OS as root. In Linux you have “sudo” in Windows you have right click “run as”.
Not necessarily. Tie this exploit in with an escalation of privilege exploit and you are off to the races. If a domain admin has logged into the system and the creds are cached, you now own the domain. (See mimikatz)This is a worst case scenario, but def not impossible.
ooh, I miss mimikatz. I remember using it to extract my user’s certificate from a corporate poisoned VM.
This is crazy. It’s only available in the CU for Windows 10 instead of a stand alone update. We held off on the latest Dec CUs due to stability concerns but now we are being forced to download and install 16GB of updates(1607/1803) to update a 779 KB file.
“This is crazy.”- JellyD
I thoroughly agree.
“Microsoft is ditching key engines in their browsers like Edge and is even having problems with its own complier… “Edge dies a death of a thousand cuts as Microsoft switches to Chromium”- Arstechnica
ht tps://arstechnica.com/gadgets/2018/12/post-mortem-tying-edge-to-windows-10-was-a-fatal-error/
[Url fractured for safety]
The problem is Microsoft is using an 18 month life cycle for critical Operating Systems when in the past OS versions were supported for 5 to 10 years or 50 months to 120 months. It takes Microsoft about 5 years to harden there operating systems [say, Windows 2000 professional, XP, Windows 7]. They just cannot harden their code in 18 months. I wish they could but they cannot.
I talked about this problem in Brian Krebs Patch Tuesday post.
See:
https://krebsonsecurity.com/2018/12/patch-tuesday-december-2018-edition/#comment-477850
KoSReader6000000
Microsoft’s CEO Satya Nadella is trying to duplicate Apple’s iPhone profit success by shortening Microsoft’s OS life cycle from 120 months to 18 months. Microsoft cannot harden its systems code in that short time frame [Apple pushes out about 11 models since inception of its cell phones or about a new model every 1 to 2 years].
The main problem is iphone’s iOS is not that same a business desktop computer OS or a Business Server OS. There is a lot more work that goes into building a hardened Desktop and Server Operating Systems than a cell phone.
Microsoft is now trying to lock customers in to the “cloud” by also building consumer operating system that depend on server side components.
Microsoft is in trouble. CEO Nadella has made a big mistake and Microsoft code is a mess.
Nadella should probably replaced by a new and competent CEO that can build dependable Desktop and Server systems that doesn’t depend upon the “cloud” for critical parts.
Microsoft needs to change its short term OS life cycles to longer cycles and correctly harden its products. That probably means a change in CEOs.
….and then Tenable’s Nessus Agent was updated to 7.2 yesterday which broke scan results importing into SecurityCenter. Great timing :-/
Reported crash with the new out-of-band IE fix on Win7, KB 4483187
https://www.askwoody.com/2018/reported-crash-with-the-new-out-of-band-ie-fix-on-win7-kb-4483187/
It has long been my advice to never, ever, use the browser that comes with your OS.
Never use IE or Edge.
Never use Safari on Macs.
I won’t even use Konqueror on KDE.
Why? Because the OS *trusts* its built-in browser by default.
You don’t know what hooks into the OS, what MIME types default to it, etc.
And for the love of Berners-Lee, use NoScript!
Adobe Reader isn’t written by Microsoft or Apple or Linuxnauts …
Java isn’t written by Microsoft or Apple or Linuxnauts …
Can Edge script be disabled by using other browsers and turning off Edge in “background app” under settings, prvacy?
Also. Tried the command prompt:
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
at https://www.kb.cert.org/vuls/id/573168/
to disable the dll, didn’t work, said cacls not accepted command, (w10, 64 bit)…?
Note: W10, 64, with Edge off under Privacy, background apps, I note no jscript.dll running anywhere in Task Manager (details, services, etc), nor any reference to a running Edge. I use Firefox as browser.
Wow, welcome to Infosec! This has been the funniest and most entertaining comment section I’ve read in a long time! It pretty much sums up an information security employee’s daily life! (BTW-does anyone have any openings for a farmer / truck driver?)
Check this mailing list out:
http://patchmanagement.org/
Never use IE, but I do use Edge. Windows Update for me has been downloading, initializing then crashing. “Windows can not install update because your computer was turned off”.
Computer wasn’t turned off during an update. Tried windows troubleshooter for update. Tried check for errors, sfc /scannow. KB4483234. “We couldn’t install some updates because your computer was turned off.”
It’s a weird loop.
AskWoody is consistently telling people not to patch….and everyone else is. Madness.
I just installed patch KB4483187 from Win update last night without any problems noted so far. Win7 x 64 Pro, Firefox, AVG.