Microsoft has released an unscheduled patch for a remote code execution vulnerability in Internet Explorer that is actively exploited by attackers.
Microsoft releases security updates on the second Tuesday of every month—known in the industry as Patch Tuesday—and rarely breaks out of that cycle. When it does, the company releases emergency patches for critical vulnerabilities that pose a very high risk of being exploited in the wild or already are.
The vulnerability patched is tracked as CVE-2018-8653 and is a memory corruption issue in the scripting engine of Internet Explorer. Microsoft Edge is not affected.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft said in a security advisory. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The flaw can be used in so-called drive-by download attacks, where users running a vulnerable version of Internet Explorer can get their computers infected by only visiting a malicious or compromised website. Even if a victim’s user account has limited privileges, attackers could still take full control of the system if they combine this flaw with a privilege escalation issue, of which there appears to be no shortage.
The vulnerability was reported to Microsoft by a member of Google’s Threat Analysis Group, so it was likely found in an attack in the wild. Microsoft confirmed this by adding the flag “exploited: yes” to its advisory.
Users are advised to install KB4483187, called “Cumulative security update for Internet Explorer: December 19, 2018,” which updates the vulnerable component, jscript.dll, to version 5.8.9600.19230.
While this vulnerability is located in the JScript engine, the VBScript engine in Internet Explorer has also been historically plagued by numerous vulnerabilities—so much so that starting with Windows 10 Fall Creators Update Microsoft disabled VBScript execution by default for sites running in the Internet Zone and the Restricted Sites Zone.
However, Ivan Fratric of Google’s Project Zero Team explained in a blog post that the VBScript engine remains a source of many vulnerabilities and that the restrictions enforced by Microsoft can still be bypassed.
“You might think that all of these issues are avoidable if Internet Explorer isn’t used for web browsing, but unfortunately the problem with VBScript (and IE in general) runs deeper than that,” he said. “Most Windows applications that render web content do it using the Internet Explorer engine, as is the case with Microsoft Office that was used in the recent 0days.”
Attackers Can Brick Servers Through Baseboard Management Controllers
Researchers have demonstrated a method of crashing and leaving servers unbootable by exploiting their Baseboard Management Controllers (BMCs).
A BMC is a microcontroller attached to a computer’s motherboard, but which runs independently of the main computer’s CPU. It is essentially a mini-computer with its independent OS that provides an out-of-band interface for managing servers, reinstalling their operating systems and even updating their firmware (UEFI).
Administrators interact with the BMC through a standardized interface called the Intelligent Platform Management Interface (IPMI). This can be done remotely over a dedicated network port or locally, from inside the host OS, using a subset of IPMI called the Keyboard Controller Style (KCS).
Researchers from Eclypsium demonstrated in a video that an attacker who gains administrative access to the OS of a server could flash a malicious firmware to the BMC over the KCS. This doesn’t require any special credentials and can be done using standard software tools.
The malicious BMC firmware can then be instructed to erase the UEFI and corrupt parts of itself, leaving the server in an unbootable state that would be very hard to recover from without specialized equipment and advanced technical knowledge.
“This could enable an incredibly damaging attack scenario,” the Eclypsium researchers said in a blog post. “With something as simple as a malware infection or compromising an administrator, an administrator could irrecoverably brick the hardware of a data center. Such an attack could also be easily scheduled to execute at a specific time. They can be implemented as a kill-switch feature in the malicious software, firmware, or hardware components. They can be introduced either physically or remotely, as part of the supply chain, or in operations. And they can stay dormant for arbitrary amounts of time and bring down infrastructure all at once.”