Vulnerability allowed attacker to gain full privileges from user just visiting a web-page
Microsoft has released an update for Internet Explore after Google’s Threat Analysis Group discovered a vulnerability that allowed threat actors to inject malware into your system if you visit their webpage.
The remote-code execution vulnerability in the scripting engine, vulnerability CVE-2018-8653 was swiftly patched by Microsoft due to the seriousness of the threat.
Microsoft security response centre’s team wrote that: “A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.”
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”
If an threat actor has established a website with this vulnerability in mind then simply visiting the website using Internet Explorer would be enough to let them inject code through the browser into your system.
To make matters worse if you are also logged in with administration privileges then the attacker gains these through the vulnerability, allowing them to take control of the system and then inject code or install programs, deleted data or do anything they want because they now have full users rights.
Internet Explorer Update
Microsoft security also outlined a not-too-hard to imagine scenario where a threat actor uses an email campaign to get users to visit websites exploiting the bug.
The company commented that: “An attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
The security update Microsoft has rolled out mitigates the vulnerability by modifying how the scripting engine handles objects in memory.
Microsoft has thanked the team at Google for pointing out this massive flaw in their scripting engine. MSCRC team commented that: “Today, we released a security update for Internet Explorer after receiving a report from Google about a new vulnerability being used in targeted attacks.”
“Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates.”
“Microsoft would like to thank Google for their assistance”