JPCERT-AT-2018-0051 JPCERT/CC 2018-12-20 <<< JPCERT/CC Alert 2018-12-20 >>> Alert Regarding Vulnerability (CVE-2018-8653) in Microsoft Internet Explorer https://www.jpcert.or.jp/english/at/2018/at180051.html I. Overview Microsoft has released Security Updates regarding vulnerability (CVE-2018-8653) in Microsoft Internet Explorer. This contains updates that are rated as "critical". Remote attackers leveraging this vulnerability may be able to execute arbitrary code. According to Microsoft, an exploit for the vulnerability already exists in the wild. Details on the vulnerability can be found at the following URL: CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653 - KB4483187, KB4483230, KB4483234, KB4483235, KB4483232, KB4483228 KB4483229 II. Affected Products Affected products and versions are as follows: Internet Explorer 11 - Windows 10 Version 1703 for 32-bit Systems (KB4483230) - Windows 10 Version 1703 for x64-based Systems (KB4483230) - Windows 10 Version 1803 for 32-bit Systems (KB4483234) - Windows 10 Version 1803 for x64-based Systems (KB4483234) - Windows 10 Version 1803 for ARM64-based Systems (KB4483234) - Windows 10 Version 1809 for 32-bit Systems (KB4483235) - Windows 10 Version 1809 for x64-based Systems (KB4483235) - Windows 10 Version 1809 for ARM64-based Systems (KB4483235) - Windows Server 2019 (KB4483235) - Windows 10 Version 1709 for 32-bit Systems (KB4483232) - Windows 10 Version 1709 for 64-based Systems (KB4483232) - Windows 10 Version 1709 for ARM64-based Systems (KB4483232) - Windows 10 for 32-bit Systems (KB4483228) - Windows 10 for x64-based Systems (KB4483228) - Windows 10 Version 1607 for 32-bit Systems (KB4483229) - Windows 10 Version 1607 for x64-based Systems (KB4483229) - Windows Server 2016 (KB4483229) - Windows 7 for 32-bit Systems Service Pack 1 (KB4483187) - Windows 7 for x64-based Systems Service Pack 1 (KB4483187) - Windows 8.1 for 32-bit systems (KB4483187) - Windows 8.1 for x64-based systems (KB4483187) - Windows RT 8.1 (KB4483187) - Windows Server 2008 R2 for x64-based Systems Service Pack 1 (KB4483187) - Windows Server 2012 R2 (KB4483187) Internet Explorer 10 - Windows Server 2012 (KB4483187) Internet Explorer 9 - Windows Server 2008 for 32-bit Systems Service Pack 2 (KB4483187) - Windows Server 2008 for x64-based Systems Service Pack 2 (KB4483187) III. Solution Please apply the security update programs through Microsoft Update, Windows Update, etc. as soon as possible. Microsoft Update Catalog https://www.catalog.update.microsoft.com/ Windows Update: FAQ https://support.microsoft.com/en-us/help/12373/windows-update-faq Microsoft has released workarounds for this vulnerability. According to Microsoft, since this vulnerability is affected when jscript is used as a script engine, the vulnerability can be mitigated by restricting access to the JScript.dll file. Please test the effects that the workarounds may cause prior to applying the workarounds, as this may affect certain websites that utilize jscript as the scripting engine. IV. References Microsoft Corporation CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653 Microsoft Corporation December 2018 Security Update Release https://blogs.technet.microsoft.com/msrc/2018/12/19/december-2018-security-update-release-2/ Microsoft Corporation Microsoft Security Updates for December 2018 (Monthly) (Japanese) https://blogs.technet.microsoft.com/jpsecurity/2018/12/12/201812-security-updates/ CERT/CC Vulnerability Note VU#573168 Microsoft Internet Explorer scripting engine JScript memory corruption vulnerability https://www.kb.cert.org/vuls/id/573168/ Japan Vulnerability Notes JVNVU#91880486 Internet Explorer scripting engine JScript memory corruption vulnerability (Japanese) https://jvn.jp/vu/JVNVU91880486/ If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-6271-8901 FAX: +81-3-6271-8908 https://www.jpcert.or.jp/english/