Emergency patch out for exploited IE scripting engine flaw

Microsoft has rushed out an emergency patch for an actively exploited vulnerability affecting the Internet Explorer web browser that ships with its Windows operating system.

The vulnerability is due to the way Windows jscript scripting engine handles objects in memory in IE, Microsoft said.

Exploiting the vulnerability could corrupt memory, and allow attackers to run arbitrary code with the same rights as the logged on user. 

This becomes especially serious if the targetted user has administrative rights, in which case they're able to take full control of vulnerable computers.

Microsoft said the vulnerability is exploited via booby-trapped websites and phishing emails.

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email," Microsoft wrote in its advisory.

Internet Explorer 11 in Windows versions 10, 8.1, 7SP1 are affected by the vulnerability, along with IE10 on Windows Server 2012, and IE9 on Windows Server 2008.

The fix for the CVE-2018-8653 vulnerability is delivered via WIndows Update and modifies how the scripting engine handles objects in memory.

It is also possible for users with administrative rights to use the access list control (cacl) command to restrict access to the jscript.dll file, in order to mitigate against the vulnerability, Microsoft said.

Researcher Clement Lecigne from Google's Threat Analysis Group is credited with having found the vulnerability.

Microsoft did not publish further details on the attacks.