We wish you a merry patchmass!
Well with the year winding down you’ve probably seen that Microsoft just released an out of band security patch:
CVE-2018-8653 is described as:
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
What does this say to me? Well it says that there’s a few attack vectors that could be leveraged which include:
- Drive by compromise
Now we can see from the release that whilst there is no pubic exploit POC, it has been detected in the wild! Now that the security patch is released, it won’t take long for the clever people (good and bad) to reverse engineer this and create public exploit code. So what this says to me is get a patch on, however since it’s Christmas you may need to adjust your pace and implement an alternate mitigation of restricting access to the vulnerable component:
Restrict access to JScript.dll
Even though this workaround appears to be removed I believe this vulnerability can be mitigated by restricting access to the jscript.dll file. This can be accomplished by running the following command in a command prompt that has administrative privileges on 32-bit systems:
cacls %windir%\system32\jscript.dll /E /P everyone:N
On Windows 64-bit systems, the following command should work:
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
So patch patch patch, or if you can’t then consider changing permissions via a script or configuration management tool (SCCM) etc.
Remember, endpoints are the common route in for attackers to take their next steps so:
- Keep your systems patched
- Run up to date AV
- Ensure host based firewalls are enabled and configured sensibly
- Use a web content filter
- Deploy a hardened configuration
if you want to ensure your business is adequately protected please get in touch with the team and we’ll be happy to help!
Hopefully this is the last patch you will need to deploy this year! but don’t hold your breath!
Stay safe & stay secure!