Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers.
The vulnerability, CVE-2018-8653 , is a remote-code execution hole in the browser's scripting engine.
Visiting a malicious website with a vulnerable version of IE is enough to be potentially infected by spyware, ransomware or some other software nasty so check windows Update and install any available patches as soon as you can. Any injected code will run with the privileges of the logged-in user, which is why browsing the web using Internet Explorer as an administrator is like scratching an itch with a loaded gun.
According to Redmond:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
While exploit code for the bug has not been publicly disclosed, it is being leveraged in the wild to attack victims, according to Microsoft, hence why the patches are being flung out today out-of-band, rather than waiting for January's Patch Tuesday to come round. Clement Lecigne of Google’s Threat Analysis Group is credited for uncovered the flaw.
Internet Explorer 9 to 11 on Windows 7 to 10, Server 2008 to 2019, and RT 8.1 are affected, though the server editions run IE in a restricted mode that should thwart attacks via this vulnerability.
One workaround, if you want to hold off on installing patches immediately, is to disable access to JScript.dll using the commands listed by Microsoft in its above-linked advisory. That will force IE to use Jscript9.dll, which is not affected by the flaw. Any websites that rely on Jscript.dll will break, though.
A possible alternative is to not use Internet Explorer, of course.