Microsoft has released an out-of-band security update that fixes an actively exploited vulnerability in Internet Explorer. This vulnerability has been assigned ID CVE-2018-8653 and was discovered by Google’s Threat Analysis Group when they saw the vulnerability being used in targeted attacks.

According to Microsoft's security bulletin this is vulnerability in how the Internet Explorer scripting engine handles objects in memory. Attackers can use this vulnerability to corrupt memory in such a way that attackers could execute code under the security privileges of the logged in user.

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," states Microsoft's advisory. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

This vulnerability can also be used to launch attacks through specially crafted web sites that utilize the exploit code. This means that attackers can utilize this feature in exploit kits or by compromising legitimate sites and adding code that exploits the vulnerability.

Once the vulnerability is successfully exploited, the attackers would be able to perform commands on the computer such as downloading further malware, scripts, or executing any command that the currently logged in user has access to.

A full list of updates for various Windows versions can be found in the advisory. These updates are available for Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, and Internet Explorer 9 on Windows Server 2008.

In response to our questions about the targeted attacks, Microsoft has told BleepingComputer that they have nothing further to add and Google has not responded as of yet.

Mitigating the vulnerability

For those who want to mitigate the vulnerability until the update is installed, you can do so by removing privileges to the jscript.dll file for the Everyone group. According to Microsoft, using this mitigation will not cause problems with Internet Explorer 11,10, or 9 as they use the Jscript9.dll by default.

Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt: cacls %windir%\system32\jscript.dll /E /P everyone:N For 64-bit systems, enter the following command at an administrative command prompt: cacls %windir%\syswow64\jscript.dll /E /P everyone:N Impact of Workaround. By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine. How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt: cacls %windir%\system32\jscript.dll /E /R everyone For 64-bit systems, enter the following command at an administrative command prompt: cacls %windir%\syswow64\jscript.dll /E /R everyone

Update 12/20/18: Added response from Microsoft and remove the KB reference as its different for each OS.