Likelihood: Moderate

Microsoft released an out-of-band, emergency patch for the Internet Explorer (I.E.) browser. The zero-day remote-code execution vulnerability (CVE-2018-8653) was discovered by Google security researchers. Exploitation of the vulnerability could allow attackers to execute arbitrary code and grant them the same privileges of the current, authorized user. If that user had administrative privileges the attacker could install programs, change or delete documents, perhaps even alter other user privileges and create new accounts. Even with standard user rights (non-administrative), the attacker could steal data, view and perhaps change or delete documents, or simply gain a foothold to the computer to look for opportunities for privilege escalation.

A victim would most likely be attacked through social engineering in a phishing or web-exploit attack. The attacker could craft an email sent to an intended victim with an infected attachment or with a link to a website that has been set up to look legitimate but exploits the browser. If the victim were using I.E., exploitation would occur.

Impact and Remediation

As mentioned, Microsoft issued an emergency security bulletin that provides a patch with instructions, it can be found here. We highly recommend that you apply this patch as soon as possible, especially if you have users that use I.E. If you have a process built for applying emergency patches out-of-cycle this would be an appropriate use of that process.

Between now and when you apply the patch you can implement compensating controls. Perhaps the simplest mitigation is to prevent the use of Internet Explorer through disabling it across the enterprise. However, that may be extreme or not possible, and you can mitigate through removing privileges to the “jscript.dll” in I.E.

Here are instructions provided by Microsoft:

Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt:

cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

Impact of Workaround. By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes JScript as the scripting engine.

How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt:

cacls %windir%\system32\jscript.dll /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:

cacls %windir%\syswow64\jscript.dll /E /R everyone

Another important action to take is to educate and inform your workforce. Phishing continues to be the primary way organizations are exploited. Being able to recognize a phishing email is an important skill for your employees to have. We recently posted a guide here on our Smarter Cybersecurity Blog for identifying phishing emails.

Finally, please update your security systems such as firewalls, IDS/IPS, Anti-Virus, and end-point protection software as updates become available.

Security On-Demand Actions

It is believed that there are exploits in the wild taking advantage of this vulnerability.

  • As of the time of writing we have yet to identify any indicators. Once we do, they will be tasked in our monitoring system for alerting.
  • Updating internal Firewall, IDS/IPS, and AV signatures in our security systems, including those for whom we manage services respectively.
  • Our SOC is actively hunting for any indications of exploitation

As incidents are discovered we will issue notifications and directly contact potential victims in accordance with our notification and escalation procedures.

About Security On-Demand

Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.

Sources:

Microsoft Advisory
Bleeping Computer

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search