Security Experts:

Google Finds Internet Explorer Zero-Day Exploited in Targeted Attacks

An out-of-band update released by Microsoft on Wednesday for its Internet Explorer web browser patches a zero-day vulnerability exploited by malicious actors in targeted attacks.

Microsoft has credited Clement Lecigne of Google’s Threat Analysis Group for reporting the vulnerability, but neither Microsoft nor Google have shared any details about the attacks involving the flaw.

The security hole is tracked as CVE-2018-8653 and it has been described as a remote code execution vulnerability related to how the scripting engine used by Internet Explorer handles objects in memory.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft explained in an advisory. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

According to the tech giant, an attacker can exploit the vulnerability by getting the targeted user to visit a specially crafted website using Internet Explorer. The victim can be lured to the malicious site using social engineering tactics.

Microsoft says the flaw impacts Internet Explorer 9 on Windows Server 2008, Internet Explorer 10 on Windows Server 2012, and Internet Explorer 11 on Windows 10, Windows Server 2019, Windows Server 2016, Windows Server 2008 R2, Windows Server 2012 R2, Windows 7, and Windows 8.1.

Since there are no workarounds for addressing this vulnerability, users should install the updates provided by Microsoft as soon as possible.

“Customers who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage customers to turn on automatic updates,” Microsoft said.

Microsoft has patched a significant number of zero-day vulnerabilities this year, and since August it has resolved at least one zero-day every month. The list includes a flaw exploited by cybercriminals to deliver a RAT – Microsoft initially did not want to address this weakness –, Windows vulnerabilities disclosed by a researcher on Twitter, and several security bugs exploited in attacks aimed at the Middle East.

With this month’s Patch Tuesday updates, the company fixed a Windows kernel privilege escalation flaw exploited by a new threat actor named SandCat and possibly other groups.

Related: Microsoft Patches Actively Exploited Windows Vulnerability

Related: Microsoft Patches Windows Zero-Day Exploited by 'FruityArmor' Group

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.