Microsoft has just released a security update for Internet Explorer after receiving a report from Google about a new vulnerability being used in targeted attacks. The vulnerability, which was given the CVE-2018-8653 identifier, could allow for arbitrary code execution.
-Internet Explorer 8 for Windows Embedded Standard 2009 XP, POSReady 2009
-Internet Explorer 9 for Windows Server 2008
-Internet Explorer 10 for Windows Server 2012
-Internet Explorer 11 for Windows 7, 8.1, RT 8.1, 10
-Internet Explorer 11 for Windows Server 2008 R2, 2012 R2, 2016, 2019
How can the CVE-2018-8653 vulnerability be exploited?
Depending on the privileges associated with the user, an attacker could perform a variety of malicious activities such as install programs, view, change, or delete data, or even create new accounts with full user rights. Note that users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
In a web-based attack scenario, an attacker could host a specially crafted website specifically designed to exploit the flaw via Internet Explorer. The user would then be tricked into viewing the website, for example, by sending an email. Another scenario involves the use of applications that embed the Internet Explorer scripting engine to render web-based content. This includes apps from the Office suite.
CVE-2018-8611, for instance, is a privilege escalation vulnerability which is caused by the failure of the Windows kernel to properly handle objects in memory. And as explained in Microsoft’s advisory, an attacker who successfully exploited the flaw could run arbitrary code in kernel mode. Kaspersky Lab researchers were the first to detect the zero-day, and they were the ones who reported it to Microsoft and detected the active malicious campaigns exploiting the flaw.
Why is this vulnerability disclosure worrisome? It is one of several zero-days that Microsoft has patched in the past few months. And all the zero-days involved elevation of privilege. And if the previously disclosed vulnerabilities haven’t been patched on a system, the affected user could be exploited in a chain attack which employs one of the older bugs (CVE-2018-8611, CVE-2018-8589, CVE-2018-8453, CVE-2018-8440). This would give the attacker system-level access and could lead to various malicious outcomes.
Who’s at risk of CVE-2018-8653? Large and medium government entities are at high risk, as well as large and medium business entities. Smaller government entities and businesses are at medium risk, and home users are least exposed.
Nonetheless, the patches that address CVE-2018-8653, KB4483187, KB4483230, KB4483234, KB 4483235, KB4483232, KB4483228, KB4483229, and KB4483187, should be applied immediately by all concerned parties.