Phenquestions
Microsoft released a security update for Internet Explorer on December 19, 2018 that patches a security issue in the scripting engine.
Microsoft describes the issue in the following way:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.
The issue is filed under CVE-2018-8653. The Security Advisory page for CVE-2018-8653 offers additional details. The vulnerability could be used by attackers to execute arbitrary code in the user context if exploited successfully.
If a user has administrative rights, the attacker would get these rights as well; this would allow the attacker to install and run software, and modify system settings among other things.
It appears, from the description, that it is enough to open a specifically prepared website in Internet Explorer to get infected.Woody thinks so, too.
The security issue affects Internet Explorer 11, 10 and 9 on all supported client and server versions of Windows. In particular, it fixes the issue on devices running Windows 7, Windows 8.1 and Windows 10, and Windows Server 2008 and 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
The update is available as a cumulative update for Internet Explorer and Windows. Microsoft enabled the update on Windows Update already but it can also be downloaded from the Microsoft Update Catalog website.
Microsoft Update Catalog website link:
- Windows 7, 8.1, Windows Server 2008 und 2008 R2, Windows Server 2012, 2012 R2, and Windows Embedded: KB4483187
- Windows 10 version 1793: KB4483230
- Windows 10 version 1803: KB4483234
- Windows 10 version 1809: KB4483235
Note that it is not recommended to run a "check for updates" on Windows Update as it may deliver updates that you don't want installed on the device; this may be a new feature update for Windows 10.
The cumulative Internet Explorer security update has a known issue that affects devices running Windows 8.1 or Windows Server 2012 R2. The "About Internet Explorer 11" dialog box shows KB4470199 from December 11, 2018 and not the new update.
Microsoft notes that users may confirm that the system is patched by checking that jscript.dll has the version 5.8.9600.19230. The file is located under C:\Windows\System32\jscript.dll
