IE – Scripting Engine Memory Corruption Vulnerability CVE-2018-8653

By Dave Farquhar

Yesterday, Microsoft released a patch for a 0-day vulnerability impacting multiple versions of Internet Explorer which allows for remote code exploitation. Deepwatch recommends patching as soon as practical.

Overview

On December 19th, 2018 Microsoft released a patch for a 0-day vulnerability that impacted multiple Internet Explorer versions within all platforms. The vulnerability could potentially allow a remote code execution attack on the scripting engine that handles objects within Internet Explorer (IE) and gives the attacker the same rights as the user logged into the system.

Technical Overview

A remote code execution attack can be performed within IE’s memory handling for a file called Jscript.dll. This attack would allow an attacker to corrupt a portion of IE’s memory which could allow code to be executed into the affected system. By exploiting this particular vulnerability an attacker would gain the same rights as a user, as well as potentially provide the attacker a pivot point into the environment.

The vulnerability was disclosed to Microsoft by the Google Threat Analysis team member Clement Ligne, and is assumed to being exploited in the wild, with the suggestion from many organizations to patch immediately based on the severity of the vulnerability (CVSS of 7.5 at the vulnerabilities highest rating).

Potential Impact

If an attacker is able to exploit a remote code execution on a user’s vulnerable browser then they would be able to gain the same rights as the user logged in. Additionally, while this impact can be limited through limiting the access users have to the Operating System, even with limited access the attacker can still use the system as a potential pivot point within the network.

What You Should Do

Currently all versions of IE on all in-life servers and workstations are considered vulnerable, and it is recommended to patch as soon as possible due to this vulnerability already being exploited in the wild. For organization which are unable to patch immediately, it is recommended to implement the following work-around provided by Microsoft:

Restrict access to JScript.dll. For 32-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\system32\jscript.dll /E /P everyone:

For 64-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\syswow64\jscript.dll /E /P everyone:N

This vulnerability only affects certain websites that utilizes jscript as the scripting engine. Should this impact legitimate websites used in your organization, the workaround can be undone. For 32-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\system32\jscript.dll /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\syswow64\jscript.dll /E /R everyone

Deepwatch will provide additional information to protect its customers and others if and when it becomes available.