December 19, 2018

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.


48 thoughts on “Microsoft Issues Emergency Fix for IE Zero Day

  1. The Sunshine State

    Internet users need to stop using Internet Explorer !

    This would be considered a “C” update because Microsoft can never seem to get it’s act together and release everything critical on “B” ( Patch Tuesday )

    I’m just going to wait to do this on next months Patch Tuesday since I never, ever use I.E. to begin with.

    1. JCitizen

      Malware is getting pretty tricky now-a-days. How do you know the malware won’t start IE without your input and take over the operating system that way? You wouldn’t believe what I see in my honey pot lab!

      1. mandelo

        Do you mean already installed malware could use it for privilege escalation? Because I can’t think of a way a malicious script could do that when I’m browsing with chrome/firefox… But if so, how would that be possible?

        Sorry it sounds like a noob question but I’m just a little confused by your answer…

        1. JCitizen

          Let’s say you click on an add and get a drive by attack. You may not notice anything but a blink in the browser you are using. Malware can do quite a lot from the temporary files loaded by what ever browser you are using – they can even pop the UAC if you are lucky. I would not put it past their capability in opening IE to gain access to the vulnerability. I’ve seen malware behavior that matches pretty much whatever rights the user has on the machine. If you are logged in as a standard account user, you can deflect most malware by simply closed all browsers and running CCleaner to flush the temp files – but if you have a vulnerability, things would happen too fast to mitigate the attack.

          1. Rob Shein

            If another browser is the default handler for content, then this vulnerability does not pose the same level of risk, regardless of whether or not IE is tightly bound into the operating system. In order to be exploited, hostile content must be handled by IE. A drive-by attack where the user is on Chrome or Firefox would fail.

            That said, there are lots of content types; it may well be that IE would remain as a default handler for a content type, under which such an attack would be feasible. But reading the actual description from Microsoft, who say that the vulnerability manifests in the scripting engine, other content types aside from what gets switched when you set a browser as your default would not come into play here. Using another browser as your default application is almost certainly a solid defense against this (aside from patching the thing, that is).

            1. timeless

              The w10 handling of file extensions is sufficiently beyond my memory of previous versions, but there are really too many file extension types for me to be willing to try them all.

              There are probably quite a few file types that are scriptable, SVG, HTML, XML, HTA, plus, sometimes browsers (especially for local files) may choose to sniff instead of trusting file extensions.

              I’m not willing to bet that there isn’t a path through which IE could be launched.

              And, if it’s the scripting host, do we know that the various help engines aren’t vulnerable?

              Really, unless your system is going to be broken by upgrading for this fix, I hope everyone upgrades asap.

        2. JCitizen

          See my answer to Art below, for another example of what I’m referring to.

        3. Clay_T

          Internet Exploiter is deeply entrenched in the OS. A window doesn’t have to be open for it to be accessed.

          I used to convince the non believers by typing a URL into the Windows Explorer (File Manager) bar, hit return, and the Windows Explorer window morphed into IE right before their eyes.

          1. JCitizen

            Thanks Clay_T – undoubtedly so! I’ve seen malware delete icons to apps that mitigate security concerns; delete program entries in the “All Programs” list; in fact pretty much do anything with the same permissions of the user. Of course these are scripts or batch files, but the malware do some system analysis before executing subversive actions. These only take seconds of course.

            The malware coders are not afraid to pop the UAC, because many users are clueless about why something has asked for administrative rights, so once they fall for that ruse, they don’t even have to rely on a vulnerability to pwn the system. I notice they either wait until the user opens another app, or they pop notes that use various social engineering messages to trick the user into supplying the password.

      2. The Sunshine State

        I would think that intrusion protection on a good firewall would protect you from that scenario , if somehow malware slip by with I.E. not being open

        You could just disable I.E. in Windows services and or group policy ? Run I.E. in a sandbox environment?

        1. Tarek Okail

          Removing IE is pretty simple, relatively speaking. Disabling Microsoft Edge is a trickier thing but it can be done.

      3. Fred Bottom

        Bees? Is it bees? That you see in your honey pot lab?

      4. Andy

        Well, I’m using linux so I don’t have that IE poison anywhere on my machine. That’s how I know.

      5. DirkDiggler

        What, exactly, is it that you see in your “honeypot lab”? Please tell me. I promise that I’ll believe you.

    2. Sisqo

      Why can’t they give the KB article related to this? We use SCCM and it doesn’t give a crap about CVE item. I have to spend too much time trying to cross reference a KB article with some CVE reference.

  2. chesscanoe

    At 18:35 UTC I was offered KB4483235 with no overt action on my part. This brought me to Microsoft Windows [Version 10.0.17763.195]. I was at 194 before the update. FYI

    1. Quid

      @chesscanoe

      Thanks, Good info.

      My Win10 did *not* update automatically nor after manually updating. That is, until remembering to change the deferred number of days for updates back to “0”, because you know we can’t trust those updates to be right in the first place.

  3. Tim2daG

    Caution regarding manually checking for updates on Windows 10, Microsoft announced this week checking for updates may likely trigger a full upgrade to version 1809.

  4. Art

    Curious to know if this vulnerability could be triggered by having a user using a non-IE browser visit a compromised web site such that a compromised web page could trigger a user’s IE browser even though not originally surfing to the web site with IE. In other words, can the exploit be targeted even if the user doesn’t visit a page with IE but still has IE installed.

    1. JCitizen

      Good question; I would never underestimate the capabilities of the new malware now. They can do pretty much what ever level the user rights have – once they trigger the vulnerability they own your operating system of course. I’ve seen some unbelievable trickery and subterfuge sourced from malware activity. The smart ones try to stay out of the way and gather data on the user with as little evidence of malicious operation as possible.

      I saw a really “good” one wait until the user attempted to open an application and trigger the UAC to gain admin rights that way. A clueless user might assume an update is causing the UAC prompt. This crime-ware corrupted many of the anti-malware components and the machine had to be wiped, and re-installation of the operating system from backup was required.

    2. Brian Fiori (AKA The Dean)

      Though IE is NOT my default browser, and I almost never have a need for it, it HAS been opened automatically by some links/clicks in the past.

      Even if you don’t use a program, if it is installed, it should have all of its security updates, IMO. If you don’t use it uninstall it. If you can’t uninstall it (like IE) then keep it up-to-date. That’s my practice, anyway.

      And while, in theory having Windows Update configured to update automatically, it is always wise to check it from time-to-time. My desktop was on all day and not being used. When I checked Windows Update, it said I was up-to-date. But I checked for updates, anyway, and there it was.

      And of course, sometimes (often) Window Update is effectively disabled, if a previous update installation is stuck. Microsoft’s advice should be: Check and attempt to manually update NOW.

  5. Dean Marino

    OK – let’s be of VALUE? What is the specific KB number?

    Too often, we have to be very careful about WHICJ KB number we install. Listing the SPECIFIC KB would be of great help.

    1. chesscanoe

      @ Dean Marino:
      If you read Brian Krebs article carefully, there is a clickable link (in orange on my machine) with words “sparse advisory”. If you click on it you will see all the KB info you could ask for.

  6. aleg

    If you click to look for updates, you’ll be getting the entire 1809 update bundle. You’re welcome. Anyone think it’s a false-flag plot to get 1809 in-the-wild?

    1. Harry the D.

      Your paranoid raving turns out to be untrue. I just installed the update via the “Check For Updates” button and I’m still running 1803.

  7. Steve

    There are multiple KBs; the specific KB which applies to your specific situation depends on the particular OS version and IE version you’re running.

    If you had taken the “sparse advisory” link that Brian so helpfully provided in the article, you would have found (after agreeing to the site’s TOS) a chart listing all the possibilities and showing the “SPECIFIC KB” for each one.

  8. john

    All the, justified imo, paranoid talk about the malware builders had me rereading the cert. Then it hit me. How did the guy from google see an exploit that is only java script running in a browser in the wild? I thought i was computer savy, got the degree, but after Snowdon i realised how far behind the curve i was. So now im trying not to be “paranoid” but i just have to wonder what the internet looks like to google, microsoft, government. I don’t see other peopleb i knoe they are around but it sounds like this google guy was right in the browser. How much can they see? Does it stop when i stop browsing?

    I’m not sure who is breaking the internet faster. The criminals with malware or the supposed good guys protecting us? Self pepetuating. Never make it right so you just get to keep making it and taking more each time.

  9. Vern

    All these experts visiting and commenting on a security forum/blog hosted on one of the most un-secure platforms out there!

  10. B

    Easily mitigated by keeping your every day logon out of the Administrator’s group. Basically the same reason you don’t logon to a Linux OS as root. In Linux you have “sudo” in Windows you have right click “run as”.

    1. JellyD

      Not necessarily. Tie this exploit in with an escalation of privilege exploit and you are off to the races. If a domain admin has logged into the system and the creds are cached, you now own the domain. (See mimikatz)This is a worst case scenario, but def not impossible.

      1. timeless

        ooh, I miss mimikatz. I remember using it to extract my user’s certificate from a corporate poisoned VM.

  11. JellyD

    This is crazy. It’s only available in the CU for Windows 10 instead of a stand alone update. We held off on the latest Dec CUs due to stability concerns but now we are being forced to download and install 16GB of updates(1607/1803) to update a 779 KB file.

    1. KoSReader6000000

      “This is crazy.”- JellyD

      I thoroughly agree.

      “Microsoft is ditching key engines in their browsers like Edge and is even having problems with its own complier… “Edge dies a death of a thousand cuts as Microsoft switches to Chromium”- Arstechnica

      ht tps://arstechnica.com/gadgets/2018/12/post-mortem-tying-edge-to-windows-10-was-a-fatal-error/

      [Url fractured for safety]

      The problem is Microsoft is using an 18 month life cycle for critical Operating Systems when in the past OS versions were supported for 5 to 10 years or 50 months to 120 months. It takes Microsoft about 5 years to harden there operating systems [say, Windows 2000 professional, XP, Windows 7]. They just cannot harden their code in 18 months. I wish they could but they cannot.

      I talked about this problem in Brian Krebs Patch Tuesday post.

      See:
      https://krebsonsecurity.com/2018/12/patch-tuesday-december-2018-edition/#comment-477850
      KoSReader6000000

      Microsoft’s CEO Satya Nadella is trying to duplicate Apple’s iPhone profit success by shortening Microsoft’s OS life cycle from 120 months to 18 months. Microsoft cannot harden its systems code in that short time frame [Apple pushes out about 11 models since inception of its cell phones or about a new model every 1 to 2 years].

      The main problem is iphone’s iOS is not that same a business desktop computer OS or a Business Server OS. There is a lot more work that goes into building a hardened Desktop and Server Operating Systems than a cell phone.

      Microsoft is now trying to lock customers in to the “cloud” by also building consumer operating system that depend on server side components.

      Microsoft is in trouble. CEO Nadella has made a big mistake and Microsoft code is a mess.

      Nadella should probably replaced by a new and competent CEO that can build dependable Desktop and Server systems that doesn’t depend upon the “cloud” for critical parts.

      Microsoft needs to change its short term OS life cycles to longer cycles and correctly harden its products. That probably means a change in CEOs.

  12. Lee

    ….and then Tenable’s Nessus Agent was updated to 7.2 yesterday which broke scan results importing into SecurityCenter. Great timing :-/

  13. Nobby Nobbs

    It has long been my advice to never, ever, use the browser that comes with your OS.

    Never use IE or Edge.
    Never use Safari on Macs.
    I won’t even use Konqueror on KDE.

    Why? Because the OS *trusts* its built-in browser by default.
    You don’t know what hooks into the OS, what MIME types default to it, etc.

    And for the love of Berners-Lee, use NoScript!

    1. Soy Tenley

      Adobe Reader isn’t written by Microsoft or Apple or Linuxnauts …
      Java isn’t written by Microsoft or Apple or Linuxnauts …

  14. Andrew

    Can Edge script be disabled by using other browsers and turning off Edge in “background app” under settings, prvacy?

    Also. Tried the command prompt:

    cacls %windir%\syswow64\jscript.dll /E /P everyone:N

    at https://www.kb.cert.org/vuls/id/573168/

    to disable the dll, didn’t work, said cacls not accepted command, (w10, 64 bit)…?

    1. Andrew

      Note: W10, 64, with Edge off under Privacy, background apps, I note no jscript.dll running anywhere in Task Manager (details, services, etc), nor any reference to a running Edge. I use Firefox as browser.

  15. Nerdosaur

    Wow, welcome to Infosec! This has been the funniest and most entertaining comment section I’ve read in a long time! It pretty much sums up an information security employee’s daily life! (BTW-does anyone have any openings for a farmer / truck driver?)

  16. Cog

    Never use IE, but I do use Edge. Windows Update for me has been downloading, initializing then crashing. “Windows can not install update because your computer was turned off”.

    Computer wasn’t turned off during an update. Tried windows troubleshooter for update. Tried check for errors, sfc /scannow. KB4483234. “We couldn’t install some updates because your computer was turned off.”

    It’s a weird loop.

  17. Plum

    AskWoody is consistently telling people not to patch….and everyone else is. Madness.

  18. jxl2

    I just installed patch KB4483187 from Win update last night without any problems noted so far. Win7 x 64 Pro, Firefox, AVG.

Comments are closed.